Transcript
Hi Mike Matchett with Small World Big Data. We're here at RSAC 2025. We're going around and talking to all the best cybersecurity vendors on the show floor, and we've got some great things to talk to you about some new trends. We're talking to GitGuardian right now. Let's introduce our folks. Hi. Hello, I'm Carole Winqwist, CMO GitGuardian. Okay. And I'm Dwayne McDaniel, senior developer advocate at GitGuardian. All right. So let's just start off by saying, uh, lots of things going on here at RSAC, lots of different approaches to security. Uh GitGuardian. Sounds like you have a particular focus on what's going on with code and app dev. Maybe one of you could explain just at a high level where you focus on cybersecurity. So not just code and app dev. This is coming from our history. You're right. But we are now focusing on non-human identity security. And part of this is secret security. The problem of secrets. You know, API tokens that are in code and hard coded. This is where we come from. This is where we are the best in the market. We're the number one app on GitHub for that. Tackling that problem. Now we just launched at RSA a new product called NGI governance Non-human identity governance, where we look at secrets not only when it's not well stored and hard coded, but also when it's well stored in vaults but not well managed when it's over, permissioned or stale or duplicated. All right, that's interesting that you say non-human instead of inhuman or unhuman. Just clarify a little bit, because some of the folks here aren't necessarily security people. What do you mean by non-human? Maybe Duane can. Well, yes. Humans are pretty well defined. We know what a human being is. And just the same way your passwords aren't you? There's this idea of there's things that aren't humans. They are. Well, service accounts, they are internet of things devices. Their devices, their servers, their processes inside of Kubernetes clusters. Again, it's really hard to pin down exactly the term. What is an identity in that? But just as you are not your password, these all have secrets. That is the one commonality of all of them. They must authenticate to do their workload. And that's where our experience over eight years of looking for hard coded credentials and places where they shouldn't be like out on GitHub, public or in git repositories or other places like Jira or slack or these other places it really comes into play with like, well, wait a minute, why can't we take that subsection of those secrets that are non-human and alerting governance models the same way we've aligned governance models with IGA and IAM over the last few years? All right. So I mean that that definitely helps clarifies what we're talking about here. So we're talking about things that uh, wouldn't be human necessarily roles or role based access in the human sense, but everything else around it, and we know there's software supply chains that get pretty complex and embedded OAuth things everywhere, and lots of complex webs of stuff. So how do you start? Uh, just again, kind of life cycle, high level wise. How do you start finding where the secrets are buried? If that's a good question. Yeah. So we we have different integrations with different environments where code and developer work. So yes, we started with code. So we connect to GitHub, GitLab, Bitbucket where the code is made. But we also connect where developers spend their life, you know, slack, Jira, confluence, wherever they can exchange one with another. And they could hard code this famous secret that we don't want in the wild because they are the key to your kingdom, right? Oh, I just said we had SharePoint recently. Um, and it's it's not just developers leaking their code that their into their code bases that they're releasing. It's also people copy and pasting from secure locations like vaults and putting them into places like SharePoint or JIRA tickets. We found that there was only an 8% overlap of people, that of the secrets that were leaked in these, uh, non git sources also appeared in their git repos. So it's a whole different world of the same problem. Now that answers it from the where are we looking for the secrets where they're not supposed to be the thing we're very excited to be here at RSA talking about is now with our partnerships and integration with Cyberark, vault, AWS Secrets Manager, and, well, all the rest of the players out there, we can now integrate and go make a safe path, pass through your, uh, secret managers to find out where the secrets that are supposed to be if they're in the right place. So if you have the same secret across three different vaults, that's not good. If if staging and production are eating are consuming the same resource from the same database, that's probably not good. So that's where this whole idea of governance really initiates. It's like we find the secrets where they're not supposed to be, and then we map out where they're supposed to be and do those two things screw up. And what is the truth about how they're being used? All right. So, I mean, I think if I'm getting the idea here, it's you really only want a secret in one place and you want it in the right place and the best place. And if it starts showing up in your JIRA tickets, that's a bad thing, right? And so is this. I mean, I started begging the question, but this isn't then just a one time scam. This has got to be something you must do all the time, right? Yeah, it's a real time scan, and it's. It's one of our strengths. We were able to scan real time, very large repository or or cubes or whatever the source is, because it's an ongoing problem, right? We we do stop the bleeding. What we mean is we even detect very early on on the when the developer is actually coding through either a VS code extension or a pre-commit hook, we are able to help shift left really to the developer station. So secrets don't even live their station. And they can. They can be protected because they're not exposed and don't need rotation. Because the problem is the remediation is the worst. On on this of course detection is important, but we like to say remediation without remediation, detection without remediation is just noise. We don't want just to surface problem. We want to solve it and we work with our customers solving it It's one of our largest customers deployed to more than ten users. So you see it's a it's a big one. They managed to reduce by 80% the number of secrets entering their source code. Why is that? Because they they applied all the tools that we provide them with to enable developers not to hard code secrets. Oh that's great. And there's probably a lot more questions we could ask here. You know, I'm just dying to know, like, well, what if someone's in pre-production or pre testing cycle or CI CD cycles and stuff. We'll have to do that in a deeper dive. But we're here at RSAC so let's talk about that. There's a lot of themes going on here. Obviously AI certifying supply chain. What themes have you noticed that people are interested in where GitGuardian actually plays a role here at the show? So maybe we should talk about a bit of the problematics around. Ai is is my copilot going to help me have a cleaner code? Is is it going to help? What are agents going to add to my vulnerabilities? And I think we have a lot to tell about that. I mean going. Yes, absolutely. That's definitely been the running theme, I think not just at RSA, but every security event for the last year I've been going to. Uh, what I've noticed is people aren't just talking about, is this going to leak my secret now in the ways that we originally thought of? Like, we'll ask it for the secret from the system and we'll get it out. But now we're starting to think about, well, what are the logs when we're doing tuning of these models? Are those containing the secrets because how are we storing those? Are those S3 buckets secure? Um, also the world of how do we connect these systems together. Is that in a secure way? Uh, MCP servers is the new hotness and I connectivity. Uh, we just released a study this week that we found 5.6% of public MCP servers we could reach contained a secret within it. That's not good. So if we're just repeating the same mistakes of putting plaintext in source code and just going to keep repeating that cycle, not good. That's again, we're here to help because AI is just another technology. And we know how to solve this problem in technology already. All right. No That's great. If you had one piece of advice, then for the 25,000 people that are here that you'd like them to understand as a takeaway, particularly relevant to this, this problem, what would that be? I think it's back to what I was saying. It's good to identify. It's good to raise alerts but solve the problem, remediate, take action. And we are in the market to do that right. Not just warning you helping you solve the problem. Yeah. Get your secrets out of that. Out of those tickets, I think would be the first thing. Uh, this is great. Um, if someone wants to learn a little bit more then about GitGuardian, maybe engage with you folks, what would you have them do first? They do on our website. We have the website, but we also have a blog full of learnings, cheat sheets. Uh, we have a very good security researcher team. Uh, we issue the State of Secrets profile, which is very recent, was released in March and outlined the problem. We found 24 million secrets in GitHub, so a lot to read there. Very interesting reading. We also have a podcast with Dwayne and security practitioner where we can learn. So we do a lot of education, a lot to find on the website and on our YouTube channel and the security podcast. And I would make one specific suggestion if you're curious to how you're exposed on a public GitHub. We've been doing public GitHub monitoring for a very long time. We have a free tool where you can get a quick assessment of that from our website. Just go to the top. I believe it's under resources very easy to find. It's a big old thing. You'll see it but gitguardian.com. Public exposure audit. Yes. Public exposure audit. So the secrets are out there. You're probably leaking some. Given the statistics we've just been talking about, it's probably worth your time to take a look at this assessment tool from GitGuardian and at least get a handle on the issue. Maybe get some research statistics and, uh, go to your CISO if you're not the CISO and start to make an argument for doing more better. Take care folks.
