They say that in the world of cybersecurity, the devil is always in the details. But what if the very foundation upon which an organization’s defenses are built is quietly crumbling from within?
This was the unsettling realization that struck Eric Fourrier back in 2017. Working alongside his friend Jérémy, the two data scientists began exploring the troves of publicly available code on GitHub, the world’s largest open-source platform. What they uncovered there would soon propel them to found GitGuardian, a thriving code security company now serving some of the world’s largest enterprises.
Co-founder and CEO of GitGuardian
We sat down with Eric, now GitGuardian’s CEO, to discuss the company’s origins, its focus on preventing the exposure of hardcoded secrets, and the crucial necessity for organizations to protect the programmatic credentials, or ‘secrets,’ that their systems depend on.
Hi Eric, we heard that for GitGuardian, it all started with a serendipitous discovery. Can you tell us the story?
Absolutely. The story goes back to when Jérémy (my co-founder) and I were just starting to explore the public repositories on GitHub. As we were analyzing the trove of publicly available data we were capturing, I came across credentials associated with a US government organization’s email address. I couldn’t believe what I was seeing.
We immediately tried to contact the person responsible to have them revoke the exposed key, but there was no response. After persistently following up for several days, the issue finally made its way to the security team. But what struck us was the apparent misunderstanding about the causes and consequences of this leak, even though it should have been a straightforward fix.
That’s when we really grasped the magnitude of the problem. These hardcoded secrets, which are the lifeblood powering access to critical systems and data, were being routinely exposed—whether in public repositories or private codebases. The implications for identity access management (IAM) security were profound.
Can you explain what secrets are and why they are especially important in the context of cloud-native software?
Secrets are the programmatic credentials that allow distributed software systems to communicate with each other securely. They come in various forms – API tokens, database username and password combinations, private keys, and so on. The common thread is that these secrets need to remain confidential to ensure the integrity of the software applications using them.
In the cloud-native world, secrets have become even more crucial. They are often the sole basis of trust, powering what we call “machine identities” – service accounts, bots, schedulers, and other non-human entities that automate various functions. As organizations embrace DevOps
practices and increasingly automate their workflows, the number of these machine identities has exploded, far outnumbering traditional human user accounts.
Secrets are truly the building blocks of identity and access management (IAM) in the cloud. As the notion of a secure perimeter has eroded, protecting these secrets has become paramount for cybersecurity professionals. Without proper management and security of secrets, the entire IAM process becomes compromised, leaving organizations vulnerable to data breaches and unauthorized access.
Was that a big revelation for you when you started working on this issue of secrets being exposed?
Every developer knows that no secret should be hardcoded in public source code. Yet, developers are managing more identities than ever before and lack the proper guidelines for securely handling these credentials. The rate of leakage has been steadily increasing over the years, as documented in our annual report, the State of Secrets Sprawl. We detected 12.8 million newly exposed secrets just in 2023— 28% higher than the previous year, and since we started reporting it in 2021, this number has quadrupled.
This has serious security implications for companies, as many of the exposed credentials were actually corporate ones. These exposed corporate credentials have the potential to cause tens of millions of dollars in damage, as they can undermine even the most robust identity and access management (IAM) controls, leaving an organization’s most sensitive assets vulnerable to attack.
For years, security professionals have operated under the assumption that the secrets powering access to critical systems and data would remain safely guarded. However, this assumption has proven to be false in many situations, particularly with the advent of cloud computing and the widespread adoption of cloud services.
The dynamic and ever-evolving nature of cloud computing frontiers makes it particularly challenging to track and secure these sensitive credentials, highlighting the need for more robust guidelines and best practices to handle identities and access in the modern digital landscape.
How has IAM evolved in the cloud era compared to traditional on-premises environments?
In traditional on-premises environments, sysadmins managed user accounts and permissions within a well-defined perimeter. Today, organizations deal with a vast and complex ecosystem of services, applications, and resources spread across multiple cloud providers: identity has become “the new perimeter.”
IAM in the cloud is more intricate and dynamic. It involves managing identities and access controls across a distributed infrastructure, where resources can be provisioned and de-provisioned rapidly. The benefits are enormous, as it has created a lot of value and, when well-managed, can make the whole organization much more efficient. But the tradeoff is that overseeing these dynamic systems is much more complex.
Organizations need to navigate the complexities of configuring permissions, credentials, and access controls across multiple cloud services, while ensuring consistent enforcement of security policies.
What are the risks posed by leaked secrets?
The risks posed by leaked secrets are significant. Hardcoded secrets can completely undermine even the most robust IAM strategy.
When secrets are leaked, attackers can gain a direct path to compromising an organization’s cloud infrastructure and sensitive data, effectively bypassing any IAM controls in place. This is because leaked secrets provide attackers with the necessary credentials to access restricted resources.
Exploiting exposed secrets requires less sophistication than runtime application attacks. The accessibility and simplicity of leveraging exposed secrets pose a considerable threat, helping attackers gain initial access or achieve lateral movement within systems, creating a persistent threat.
Long-lived credentials, such as static ones that never expire, are a major contributor to cloud security breaches. These types of credentials are widely regarded as insecure, not only because they never expire but also because they can easily be leaked in source code, container images, or configuration files. Leaks of long-lived credentials are one of the most common causes of security breaches in the cloud.
Despite the common knowledge of this attack vector, research conducted by GitGuardian has shown that hardcoded secrets are alarmingly prevalent in both private and public code repositories. This highlights the significant security risks posed by the widespread presence of leaked secrets, which can undermine even the most robust IAM controls and leave organizations’ sensitive assets vulnerable to attack.
Given the significant risks associated with leaked secrets, what can organizations do to enhance their IAM security posture?
Because secrets are one of the pillars of identity and access management, organizations should adopt robust secrets management practices to enhance their IAM security posture.
Implementing measures to detect and remediate hardcoded secrets across the entire DevOps toolchain is essential. This includes continuously scanning code repositories, both public and private, as well as other development tools like chat messages, project management tickets, and documentation for the presence of hardcoded secrets.
Solutions like GitGuardian’s Secrets Detection can help organizations achieve this. The GitGuardian solution provides immediate alerts when a secret is detected and offers remediation capabilities to ensure that the leaked secret is promptly revoked and replaced.
Furthermore, to comprehensively check for past exposures of secrets and sensitive data, organizations can leverage GitGuardian’s Public monitoring solution. This solution maps an organization’s attack surface by continuously monitoring all developer-related public activity, even on personal GitHub repositories. It allows tracking keywords specific to the organization, such as project names or IP addresses, to identify potential leaks.
By combining strong IAM controls with effective leak detection technology, organizations can significantly enhance their overall security posture and reduce the risk of unauthorized access and data breaches in cloud environments. This holistic approach to managing secrets and identities is crucial for safeguarding an organization’s sensitive assets and maintaining a robust security foundation in the cloud.
Where can users learn more about GitGuardian?
If, after reading this Q&A, we have piqued your interest in the world of code security, identity, and secrets, then that’s great! We invite you to visit our website, subscribe to our blog, and follow us on Youtube and LinkedIn.
Related Categories