🔒🤖 The Next Step in GitGuardian’s Approach to NHI Security

DISCOVER

🔒🤖 The Next Step in GitGuardian’s Approach to NHI Security

DISCOVER

"Alerts us about secrets being leaked so that we can remediate, and shows vulnerabilities in open-source software"

"The most valuable feature is the alerts when secrets are leaked and we can look at particular repositories to see if there are any outstanding problems. In addition, the solution's detection capabilities seem very broad. We have no concerns there."

Avatar

Michael Schmitz

Director of Engineering at Allen Institute for Artificial Intelligence

Software vendor currently using GitGuardian Public Monitoring

Avatar

Michael Schmitz

Director of Engineering at Allen Institute for Artificial Intelligence

  • Checkmark

    Review by a Real User

  • Verified

    Verified by PeerSpot

Challenges

Solution

Results

What is most valuable?

Key quote

What’s next

What is our primary use case?

We work for a research institute and there are a lot of disparate security practices. A lot of people work for us for short periods of time, through internships and other temporary positions, and it's been hard to communicate security best practices across the company. GitGuardian helps prevent the leaking of secrets, but it's also for educating our company about our policies.

How has it helped my organization?

The main benefit is that, previously, secrets would be leaked and nobody would ever hear about it. Now, we actually have alerts and the opportunity to follow up with researchers to deal with these problems. It has provided the opportunity to collaborate on remediation rather than not knowing there are issues.

In addition, we do a review of security alerts when we open-source software. We used to have a script that we wrote that we would run to scan these repositories. It would produce a lot of noise. Now, we go to GitGuardian and immediately we have a dashboard that tells us what vulnerabilities there are.

GitGuardian has helped to modestly increase security team productivity whenever we do a review of open-source software for security leaks. Previously, that would take about an hour per repository and now it takes five minutes. We have 1,500 repositories, which is a lot. We're open-sourcing them weekly, so it doesn't amount to a huge number of hours, but it's turned something from fairly inconvenient, that had the potential to take an hour out of someone's day, to something that's just quick, easy, minimal, and more effective.

It has also helped to decrease false positives.

What is most valuable?

The most valuable feature is the alerts when secrets are leaked and we can look at particular repositories to see if there are any outstanding problems. In addition, the solution's detection capabilities seem very broad. We have no concerns there.

In terms of the accuracy of detection and the solution's false positive rate, we had to make some adjustments, but now that we've made those adjustments we're very happy with where we are.

We have also used the dev in the loop feature and it works well when it comes to remediating an incident. For collaboration between developers and security teams it's very good.

What needs improvement?

We have been somewhat confused by the dashboard at times.

For how long have I used the solution?

We've been using GitGuardian Internal Monitoring for about a year.

What do I think about the stability of the solution?

I have no concerns about its stability at all.

What do I think about the scalability of the solution?

We also have no concerns about its scalability. Maybe we'll hit something, but I've seen no evidence of scalability issues.

We're using it for about one-third of our organization. We'd like to use it for more.

How are customer service and support?

We've always gotten quick, thorough responses from their technical support.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

It was very easy to get started. There was an amazing trial where they showed us vulnerabilities we already had.

It requires no maintenance on our side.

What about the implementation team?

What was our ROI?

What's my experience with pricing, setup cost, and licensing?

It's not cheap, but it's not crazy expensive either. We negotiate a price and it stays at that price, which is very nice.

Which other solutions did I evaluate?

We did evaluate other products over a fairly long period of time, but GitGuardian stood out in that it was something we would pay for and we wouldn't have to worry about it. It would just work.

What other advice do I have?

I would tell a security colleague who says that secrets detection is not a priority that it might be worth trying this tool out and seeing what it shows you before jumping to that conclusion.

The importance of secrets detection to a security program for application development is tough to determine because the biggest players already detect secrets on GitHub and disable those tokens. If I pretend those don't exist, then it's extremely important. Since they do exist, it's somewhat important.

Try out GitGuardian Internal Monitoring. It's easy to try it out and you can go from there.

Which deployment model are you using for this solution?