{"id":40022,"date":"2019-11-28T09:17:06","date_gmt":"2019-11-28T09:17:06","guid":{"rendered":"http:\/\/icloud.pe\/blog\/?guid=98d01dcd60230f1aaa4c2879a6abdd29"},"modified":"2019-11-28T09:17:06","modified_gmt":"2019-11-28T09:17:06","slug":"gitguardian-the-security-startup-hunting-down-online-secrets-to-keep-companies-safe-from-hackers","status":"publish","type":"post","link":"https:\/\/icloud.pe\/blog\/gitguardian-the-security-startup-hunting-down-online-secrets-to-keep-companies-safe-from-hackers\/","title":{"rendered":"GitGuardian, the security startup hunting down online secrets to keep companies safe from hackers"},"content":{"rendered":"


\n Victoria Woollaston<\/a><\/span>
\n <\/span><\/p>\n

\n
\n
28 Nov, 2019<\/span><\/div>\n<\/p><\/div>\n<\/div>\n

\n<\/a><\/p>\n

\n

When the login details of an Uber engineer were exposed in 2016 \u2013 signalling one of the most high-profile breaches of recent years \u2013 the names and addresses of 57 million riders and drivers were left at the mercy of hackers.\u00a0<\/span><\/p>\n

None of Uber\u2019s corporate systems had been directly breached, though. Its security infrastructure was working as it should. Instead, the credentials were found buried within the code of an Uber developer\u2019s <\/span>personal GitHub account<\/span><\/a>. This account and its repositories were hacked, <\/span>reportedly due to poor password hygiene<\/span><\/a> and the stolen credentials used to access Uber\u2019s vast datastore. This breach, which Uber sat on for a year, <\/span>resulted in a then-record-breaking $148 million fine<\/span><\/a>.<\/span><\/p>\n

Yet despite this public lesson in how not to handle private credentials, so-called company secret leakage <\/span>is an everyday occurrence<\/span><\/a>.\u00a0<\/span><\/p>\n

The rise of secret leakage<\/span><\/h2>\n

Research from North Carolina State University<\/span><\/a> found that in just six months between October 2017 and April 2018, more than half a million secrets were uploaded to GitHub repositories, including sensitive login details, access keys, auth tokens and private files. A 2019 <\/span>SANS Institute survey<\/span><\/a> found that half of company data breaches in the past 12 months were a result of credential hacking \u2013 higher than any other attack method among firms using cloud-based services.\u00a0<\/span><\/p>\n

This is where GitGuardian comes in.\u00a0<\/span><\/p>\n

<\/p>\n

<\/p>\n

<\/span><\/p>\n

Founded in 2017 by J\u00e9r\u00e9my Thomas and Eric Fourrier \u2013 a pair of applied mathematics graduates and software engineers specialising in data science, machine learning and AI \u2013 the Paris-based cybersecurity startup uses a combination of algorithms, including pattern matching and machine learning, to hunt for signs of company secrets in online code. According to the company\u2019s figures, more than a staggering 3,000 secrets make their way online every day.<\/span><\/p>\n

\u201cThe idea for GitGuardian came when Eric and I spotted a vulnerability buried in a GitHub repository,\u201d CEO and co-founder Thomas tells Cloud<\/em><\/span>\u00a0Pro<\/em>.<\/span> \u201cThis vulnerability involved sensitive credentials relating to a major company being leaked online that had the potential to cost the firm tens of millions of dollars if they had got into the wrong hands. We alerted the company to the vulnerability and it was able to nullify it in less than a week.\u201d\u00a0<\/span><\/p>\n

\u201cWe then built an algorithm and real-time monitoring platform that automated and significantly built-upon the manual steps we took when we made that initial detection, and this platform attracted interest from GitHub\u2019s own Scott Chacon as well as Solomon Hykes from Docker and Renaud Visage from EventBrite.\u201d\u00a0<\/span><\/p>\n

How the cloud is fuelling secret leakage<\/span><\/h2>\n

The problem of sensitive data leakage stems in part from the increasing reliance of software developers on third-party services. To integrate such services, developers often juggle hundreds of credentials with varying sensitivity, from <\/span>API<\/span><\/a> keys used to provide mapping features on websites to <\/span>Amazon Web Services login details<\/span><\/a>, and <\/span>private cryptographic keys<\/span><\/a> for servers. Not to mention the many secrets designed to protect data, surrounding payment systems, intellectual property and more.\u00a0<\/span><\/p>\n

In the process of handling these integrations, more than 40 million developers and almost 3 million businesses and organisations globally use <\/span>GitHub<\/span><\/a>, the public platform that lets developers share code and collaboratively work on projects. Either by accident (in the majority of cases), or occasionally knowingly, these uploads have company secrets buried within them alongside the code that\u2019s being developed. As was seen with <\/span>the Uber breach<\/span><\/a>, hackers can theoretically scour this code, steal credentials and hack company accounts all without the developer and their employer being any the wiser.<\/span><\/p>\n

How GitGuardian plugs these leaks<\/span><\/h2>\n

GitGuardian\u2019s technology works by first linking developers registered on GitHub to their respective companies. This already gives the company greater insight over who their developers are on GitHub and the levels of public activity they\u2019re involved in. This is especially important for developers\u2019 personal repositories because they\u2019re completely out of their companies\u2019 control, yet too often contain corporate credentials.\u00a0<\/span><\/p>\n

Once linked, GitGuardian\u2019s <\/span>algorithms<\/span><\/a> scrutinise any and all code changes, known as commits, made by these developers in real-time, looking for signs of company secrets. Such signs within these commits range from code patterns to file types that have previously been found to contain credentials.\u00a0\u00a0<\/span><\/p>\n

\u201cOur algorithms scan the content of more than 2.5 million commits a day, covering over 300 types of secrets from keys to database connection strings, SSL certificates, usernames and passwords,\u201d Thomas continues.<\/span><\/p>\n

Once a leak occurs, it takes four seconds for GitGuardian to detect it and send an alert to the developer and their security team. On average, the information is removed within 25 minutes and the credential is revoked within the hour. For every alert, GitGuardian seeks feedback from its developers and security teams who rate the accuracy of the detection: were company secrets actually exposed or was it a false positive? Consequently, the algorithm is constantly evolving in response to new secrets and how they are leaked.<\/span><\/p>\n

This seems like a simple premise, even if the technology behind it is far from simple. But what\u2019s to stop a hacker building a similar algorithm to intercept the secrets before GitGuardian\u2019s platform spots it?\u00a0<\/span><\/p>\n

\u201cGitGuardian is indeed competing with individual black hat hackers, as well as organised criminal groups,\u201d Thomas explains. \u201cWe constantly improve our algorithms to be quicker and smarter than they are, and to be able to detect a wider scope of vulnerabilities, which requires a dedicated, highly skilled team.<\/span><\/p>\n

\u201cWe’re helped in this by our users and customers who give us feedback \u2013 at scale \u2013 that we reinject into our algorithms. Our <\/span>white hat approach<\/span><\/a> allows us to collect feedback and this gives us a tremendous edge over black hats. You can see this as the unfair advantage you get by doing good.\u201d<\/span><\/p>\n

GitGuardian has already supported global government organisations, more than 100 Fortune 500 companies and 400,000 individual developers. It\u2019s now setting its sights on adding even more developers and companies to its platform to further improve its algorithm, and extend this technology for use on private sites.\u00a0<\/span><\/p>\n

\u201cWe started GitGuardian by tackling secrets in source code and private sites,\u201d concludes Thomas. \u201cOur ambition really is to be developers\u2019 and cybersecurity professionals\u2019 best friend when it comes to securing the vulnerability area that is emerging due to modern software development techniques [and] we\u2019re on the road to doing this.\u201d<\/span><\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Victoria Woollaston<\/p>\n

28 Nov, 2019 <\/p>\n

When the login details of an Uber engineer were exposed in 2016 \u2013 signalling one of the most high-profile breaches of recent years \u2013 the names and addresses of 57 million riders and drive…<\/p>\n","protected":false},"author":619,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-40022","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/40022","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/users\/619"}],"replies":[{"embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/comments?post=40022"}],"version-history":[{"count":1,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/40022\/revisions"}],"predecessor-version":[{"id":40023,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/posts\/40022\/revisions\/40023"}],"wp:attachment":[{"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/media?parent=40022"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/categories?post=40022"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/icloud.pe\/blog\/wp-json\/wp\/v2\/tags?post=40022"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}