CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

GitGuardian Internal Monitoring demo - Secrets detection in source code repositories

GitGuardian's internal monitoring solution helps unite Dev. Sec. and Ops to fight hardcoded secrets. In this short demo, we show exactly how GitGuardian can help identify secrets inside your source, quickly and effectively remediate incidents and prevent secrets from being committed into source code repositories.

Video Transcript

hi there I'm Mackenzie and I'm a developer and security Advocate right here at get guardian and in this short video I would like to give you an overview of good guardian's internal monitoring platform devops Cloud infrastructure continuous integration and continuous deployment are really the lifeblood of modern software development practices that make the applications that build our digital lives but now more than ever software developers are expected to write test build and ship applications at a rapid pace as they travel through the software development life cycle and go deep and wide into it they can unknowingly introduce security vulnerabilities into their source code for example hard-coded credentials and other secrets these secrets can be hidden deep into our source code in Version Control history they can be in our CI CD setup files they can even be in our Cloud infrastructure plus a many many more places to reduce the risk of exposed Secrets get Guardians internal monitoring platform integrates continuous security right into the development workflow and processes this helps Empower software developers to take responsibility for security by providing them with actionable remediation steps following on from incidents get Guardian helps bring together Dev SEC and Ops to help combat secrets for all thanks to four core pillars monitoring detection remediation and of course prevention so come with me now and let's take a closer look at git guardian's internal monitoring platform complete visibility into your Version Control Systems and the repositories that they host is only a few clicks away with Git guardian's internal monitoring platform security teams can connect with GitHub GitHub Enterprise git lab bitbucket Data Center and Azure repos with a native Integrations let's start by connecting a few GitHub repositories into our dashboard once in the perimeter repositories are scanned right back to the initial commit on every Branch historical scanning can give security teams an understanding of their historic security debt that they have in the repositories from then on the perimeter is monitored continuously every single commit that is then made is instantly scanned by git Guardian to detect any secrets or other security policy breaks this gives real-time protection around the clock get Guardian internal monitoring also comes with powerful library of credential and secret detectors that combine pattern matching technology with high entropy detectors it supports more than 350 specific Secrets such as third-party API keys and database connection URLs but it also supports generic credentials for instance private Keys JWT tokens username and password peers and many many more security games can also extend the detection capabilities and configure it to scan for custom patterns and organization specific keywords it's important that organizations benefit from the widest possible coverage so that they can identify and secure all the different tools in the software development lifecycle in addition to its extensive coverage getguardian Secrets detection engine also offers very high accuracy but also exceptionally low false positives rates every year we test our engine against more than one billion commits we do this by scanning every single public commit made on the github.com platform every single year the detection engine not only looks for plain tech secrets but it also monitors repositories for the presence of sensitive files such as dot EnV files or dot pem certificates in total more than a dozen policies are activated by default detecting Secrets is only half the battle Your Guardian also helps with the other half remediation every incidence that is raised is filled with a lot of contextual information that's really going to help your security team understand the severity of the incident and also provide insights into the optimal path for remediation dick Guardian will also attach an author to the incident point the security engineer to its location in the Version Control platform repository and also the file it will show a preview of the patch or code surrounding the secret and it'll indicate whether or not the hard-coded secret was exposed publicly and if it was found through an historical or a real time scan and lastly get Guardian performs this for every occurrence often a unique secret is checked into Source control by various different developers and it ends up scattered across multiple files and repositories which adds further complexity to the remediation process the enriched incident data also enables security teams to sift through hundreds or thousands of issues and tackle the most pressing ones first minimizing the risk of exposure where it matters get Guardian has developed a unique approach to remediation it allows organizations to share the process of investigating and remediating incidents fairly between security teams but also the developers themselves when a secret is detected get Guardian automatically notifies the multiple developers involved and shares with them a short questionnaire to fill out and send back to the security team developers own the context they know which resources are protected by the secrets that they have exposed and they know how sensitive they are so it only makes sense to automatically request more information from them and in some cases allow them to fix and remediate the incident by themselves when developers resolve an incident the platform is capable of delivering proof of this remediation gagadian can verify that the hard coat of secret has been effectively revoked and rotated and that it no longer represents an active threat the platform can also check for the presence of a secret in the commit history and whether all traces of the incident have been removed or not continuous monitoring of source Control Management servers is critical to enhancing the security posture of the software development life cycle but with age incidents requiring security and operation teams to spend hours investigating Gathering feedback revoking or replacing the credentials and then redeploying the services without any disruption while remediation can be a very costly operation and that's why it's best to catch incidents as early as possible in the software development life cycle and shifting security left is the key to be able to do this shifting security left in the software development life cycle by providing developers with early feedback when incidents happen is the best way to combat secrets for all with GG Shield Guardian CLI tool we can integrate secret detection early in development life cycle for instance we can use pre-commit or pre-push hooks to catch Secrets before they enter into the source Control Management Service this says the developers operation teams security teams hours of remediation time because the secrets aren't exposed in the source control system finally gigguardian provides security teams with detailed analytics and Reporting this helps them understand the secrets exposure trends zero in on development teams and repositories that leak the most secrets and identify areas of improvement it's important that security teams measure their progress towards a software development life cycle that is free from secrets hard-coded secrets is a pervasive problem in the cloud native era but with the right mindset and solutions we believe that engineering and security teams can have the last word giggarden doesn't just provide an end-to-end solution for automated Secrets detection and Remediation but we also work with organizations and security teams to roll out a comprehensive plan that will increase the security posture of the software development life cycle world-renowned companies like instacarts snowflake or orange and over 200 000 developers find your guardian to be the perfect partner to make sure that secrets are not inside their source code if you want to find out more about gig Guardian then please head to our website at getguardian.com and reach out to us from the context page we'd love to hear from you and until next time I hope you enjoyed this video and I'll see you later