This Value Calculator will help you estimate the probable costs of not dealing with a security debt consisting of thousands of hard-coded secrets today. Customize your outcomes. Enter the number of active developers, and then see the likely scope of your secrets’ exposure. With this information, you can show your management team why investing in GitGuardian Secrets Detection is worth it.
Enter the number of active developers in your company:
Secrets exposure
X
hardcoded secrets every year
Improved Secrets Management Posture
20-22% fewer incidents to be closed every month
Cost reduction
X
full-time equivalent-hours saved
Increased productivity
X
full-time equivalents (FTEs) saved
A Developer commits around 3 secrets/year on average. The chart here shows the potential security debt incurred by your company over the next six years, taking into account historical incidents, in addition to a volume of X new hardcoded secrets every year and no GitGuardian Platform or its additional preventative measures in place. The longer these hardcoded secrets are there, the more potential attack vectors there are for a malicious actor.
This graph will dynamically generate based on the number of active developers you input in the field above.
There has been an increase in high-profile incidents and supply chain attacks involving stolen source code (Dropbox, Microsoft, Samsung Electronics, NVIDIA, LastPass, Octa, Slack) or secrets that have been leaked (Uber, CircleCI). So, it is essential for you to deal with the thousands of hardcoded secrets hiding in your source code, CI/CD pipelines, or Docker images today.
Use of stolen or compromised credentials remains the most common cause of a data breach. Stolen or compromised credentials were the primary attack vector in 19% of breaches in the 2022 study and also the top attack vector in the 2021 study, having caused 20% of breaches. Breaches caused by stolen or compromised credentials had an average cost of USD 4.50 million.
I would say, “Good luck,” to someone who says secrets detection isn’t a priority. Their priorities are probably wrong. One of the easiest ways for intrusion, as well as losing a lot of money in your company, is getting your secrets leaked somehow.
Secrets being used to access resources is probably one of the most common ways to be involved in a high-profile breach these days. If you are not detecting secrets in code, then every developer’s machine is a security breach waiting to happen.
Case Study
Challenge
The telecom provider has ten thousand developers and was struggling to manage its secrets from being leaked. The primary challenge was preventing their developers from causing security breaches due to leaked secrets. They needed a solution that would catch secrets in real-time and at various stages of development to prevent them from being committed to their repositories.
Solution
GitGuardian CLI - ggshield is a developer-first tool. This solution helps developers scan source code on their local workstations to uncover vulnerabilities during code creation. ggshield integrates with pre-commit and post-commit git hooks, helping the developers catch hardcoded credentials and fix their code before pushing it to collaborative environments (remote branches on the Version Control System).
Results
GitGuardian offered its CLI tool, ggshield, which could be run in pre-commit, pre-receive, in the CI, and at the VCS level. By using the tool at multiple stages of development, the company was able to shift left and catch secrets early on, before they could cause a major breach. This approach reduced the company's real-time secrets incidents by 72%, which is more than two times the reduction observed in companies without any preventative checks. The tool was easy to implement and provided a scalable solution that could be used by all of their developers.
Ease of use and integration with Github. Instant alert whenever you mistakenly check a secret into your commits. You can easily manage (resolve, ignore, etc) all incidents from the GitGuardian dashboard.
We have seen an increase in the security of our codebase, as well as an improvement in the speed and accuracy of our code reviews. This has enabled us to quickly identify and address any potential security issues before they become a problem. Additionally, we have seen an increase in our ROI as a result of using GitGuardian Internal Monitoring, as it has allowed us to save time and money by preventing costly security breaches.
There is a “scissor effect”. It is normal as upon implementation, GitGuardian helps to discover a large number of secrets incidents that were previously unknown. As the security team begins to address these issues, the number of incidents being remediated is high. Then the number of new incidents detected and remediated gradually decreases. They have to close on average 10% fewer incidents every month as the organization's secrets detection and secrets management posture improves. Our most diligent customers experience around 20-22% fewer incidents every month.
It has also helped to increase our security team's productivity. We have around 110 repositories and if we had to remove something one-by-one it would be very hard, but with this solution, we can do so from all of them at the same time, which saves us months—not even days—but months.
Emre Ceevik, DevOps Engineer
at a comms service provider with 11-50 employees
The average cost of remediation is often at least in the 2 man-hours per incident ballpark. GitGuardian saves this significant amount of time that would otherwise be spent on reviewing code and logs for secrets, creating Jira tickets manually, copying and pasting information between systems, alerting, prioritizing, and manually verifying if the exposed credential is still valid. By automating the process of detecting, remediating, and preventing secrets incidents, the GitGuardian Platform allows teams to focus on more important tasks and achieve their goals more efficiently.
Cost reduction
X
full-time equivalents - hours saved
Reducing the amount of time Developers and AppSec staff spend blocked, fixing issues, and training on secure coding leads to increased productivity. And increased productivity means you don’t have to add more FTEs for your AppSec team. Our automated platform and remediation playbooks allow you to monitor, detect, prioritize, investigate, and remediate incidents without the need to hire X additional full-time equivalents. (based on your number of active developers input)
Increased productivity
X
full-time equivalents (FTEs) saved
It's equivalent to a security engineer reviewing every pull request to look for secrets. We have dozens and dozens of pool requests and commits daily, and GitGuardian performs a security review of each commit. We couldn't scale by having one person perform all that work. GitGuardian saves the security team about four to six hours per incident.
Peter Henggeler,
Security Engineer at Recidiviz
Top benefits of GitGuardian as reported by customers on review websites like PeerSpot.
Higher likelihood of a breach.
Chances that a violation of compliance will result in significant fines.
The manual process of monitoring and responding to secret incidents consumed the time and effort of the AppSec team. AppSec team acts as the intermediary and tells the developer there is an alert.
Training developers in security best practices required a significant amount of time from security engineers.
Reduced likelihood of a breach by alerting when secrets are leaked and developing shift left mindset.
To avoid fines, you can identify secrets, take immediate action, and ensure compliance with frameworks like SOC 2, GDPR, and NIST.
Thanks to our automated platform, operational burden is reduced and the AppSec team can concentrate on higher-value strategic initiatives.
The security engineers' time is saved by our automated remediation playbooks and just-in-time training and security awareness for developers.
Streamlined incident management, prioritization alerting, and remediation process on one centralized platform.
GitGuardian leads the way in Non-Human Identity security, offering end-to-end solutions from secrets detection in code, productivity tools and environments to strong remediation, observability and proactive prevention of leaks.
.svg)
