Opt for a solution that gives visibility into every corner of your software development lifecycle. Ideally, the solution should connect to your Version Control Systems (GitHub, GitLab, Bitbucket, Azure Repos), CI/CD tools, and package registries; and map all the assets it should monitor.With solutions requiring manual input of your assets, you may be missing visibility over some of the developer activity and areas of risk in your software development lifecycle.

Also, look for a solution that provides an aggregated view of your incident data in a rich user interface or dashboard. It will be easier for your security and development teams to find, investigate, and collaborate on remediating their incidents.

Organizations often don’t have a complete inventory of the third-party services or internal components their development teams create and maintain. Without this information, you should look for a solution that supports detecting a wide range of secrets – specific, generic, or even custom patterns.

If a solution cries wolf, its adoption by security engineers and developers will likely be low. Over time, false positives lead to “alert fatigue.” From our experience, users of specific open-source secret scanners report many false positives. Secrets scanners that rely on entropy checks without performing additional contextual analysis of the code are prone to this.‍

Tip: Don’t be lured by the false promise of zero false positives. If a code security tool does not report false positives, chances are high that it silently skips real findings.

Detection is only the start; you must also devise a process for remediating hardcoded secrets. Opt for a solution that will support your teams throughout remediation with features like automated alerting, ticketing, prioritization, and collaboration. Make sure that the solution of your choice also integrates developers in the process.

Developers are responsible for hardcoding secrets during software development. Pick a solution capable of providing your developers with early feedback and alerting them while writing code in their IDE or creating a pull/merge request. This will heighten their security senses and help prevent exposing more secrets.

The right solution will help you remediate more incidents in less time. The key is finding one that’s powerful yet intuitive. If it takes your team months to get the hang of it and integrate it within your existing pipeline, that’s a lot of lost time and productivity.

Tip: Read vendor reviews to see how easy end users find a solution. Check out these examples from GitGuardian users on Capterra, G2, PeerSpot, Sourceforge, etc.

Prefer a solution that will adapt to your evolving technological stack. Ideally, it should integrate with multiple source control servers, CI/CD systems, package registries, etc. It should also be able to scan hundreds or thousands of repositories, regardless of their size, covering all code contributions from your developers. If your organization has strict data privacy requirements, look for a solution that can be self-hosted on your infrastructure.

Addressing secrets sprawl in an organization is a complex and cumbersome task. A dedicated support team with specialized experts can help accelerate onboarding during the initial pilot, have a smooth setup and deployment process, devise remediation workflows, discuss product-related questions, and provide answers almost instantly.

Tip: Ask your vendor for reference calls and similar deployment examples.