GitGuardian CEO Jeremy Thomas, recently had the privilege of being interviewed by BFM Business on national French television about winning the FIC start-up of the year award and the exciting road that is ahead for GitGuardian. The interview is in French but below you can find the English transcript.
I am here with Jeremy Thomas, co-founder and CEO of GitGuardian.
Good morning Jeremy and thank you for being here. You are a recipient of the FIC (International Cybersecurity Forum) start-up of the year award which will be held on the 8th, 9th, and 10th of June taking place in Lille, France. Congratulations firstly and please tell us more about GitGuardian. I know the word git from GitHub, is this referring to the same thing? Does GitGuardian belong in the world of software development?
0:41 Jeremy Thomas
You are absolutely right. At GitGuardian we focus on helping organizations secure their applications and their software development life cycle.
It has become a strategic issue for organizations to bring their software to market as quickly as possible and to evolve as quickly as possible with the needs of their users. To do this, the way software is developed has changed radically in recent years. We are witnessing a revolution. Companies need to hire more developers and we are using an increasing number of external building blocks, these can be open source components, SaaS platforms...
Platforms that will make our lives easier, but ultimately whose potential flaws are not necessarily known.
1:19 Jeremy Thomas
Yes, that's right. We now need to rely on these external building blocks and the work of developers is increasingly about connecting these building blocks. You have to realize that within the cyber security and software industry there is not a single solution that can meet all your security challenges and needs. As such we're interested in one specific vulnerability in particular, this is, the presence of secrets in the source code.
That's all the authentication information right? Could you give us an example to clarify?
1:50 Jeremy Thomas
Yes, a secret is like a password, but it is meant to be used programmatically. For this reason, it will be found quite naturally within source code. It's a password that will give access, for example, to a payment system or an internal messaging system or a server. And the problem with this secret being in the source code is that this source code is widely accessed within the organization.
So that being the case, if we penetrate the organization, we have access to this secret.
2:19 Jeremy Thomas
And are there a lot of these secrets? I think you've been measuring the volume. The number of secrets that are leaking everyday on GitHub.
2:26 Jeremy Thomas
Yes, we have measured the number of secrets leaking on public GitHub. This is how GitGuardian started, analyzing open source code for secrets. We analyzed hundreds of millions of code repositories that were publicly accessible and within those repositories, we found information that should not have been public. This is the worst place for a secret, it is the equivalent to a public square.
To use these secrets, do you need to be a real genius or can anyone who understands code use these secrets?
3:03 Jeremy Thomas
A secret is about as easy to use as a password. So it's within the reach of any developer, and that's what makes this kind of flaw extremely critical. Beyond the criticality of the systems behind it, these are vulnerabilities that can be exploited without any particular knowledge by any developer.
What does that mean? Do developers need to be better educated?
Is this what your tool will be used for, to educate developers? To tell them to be careful about security?
Of course now with more applications using external building blocks as you say, using API’s for example, is this part of GitGuardian's mission?
3:55 Jeremy Thomas
Yes, we have realized that remediation is less costly when it occurs early in the software development cycle. Ideally, we'll remedy the vulnerability as soon as it's introduced into the source code and for that to happen, you have to be very close to the developers. In other words, interface with the tools they use on a daily basis. There is also the part of education as you say that needs to be a part of the culture within the organization. We need to set up a culture where people understand it's okay to make mistakes but also have a sense of responsibility, so that each developer wants to keep his code secure.
Who are the users of GitGuardian? Is it the developers, the security teams? Who are your customers?
4:37 Jeremy Thomas
Those who buy from us today are essentially large American companies, with a large number of developers. We started our commercial expansion in the United States from France. It is the security teams and CISOs who purchase the GitGuardian product, but it is the application security team who will implement the product in collaboration with the developers.
You were founded in 2017 and today 35 people work at GitGuardian. You also raised $12 millions in 2019, notably from someone we know well in France, Bernard Liautaud, from the Balderton fund. Have you seen an impact since mobile applications are being developed more and more? Are there more vulnerabilities due to this increasing usage of mobile applications and devices compared to more traditional applications?
5:36 Jeremy Thomas
The origin of the vulnerabilities we detect is the fact that the applications are no longer monolithic and that they are made up of a lot of external building blocks. And this is also the case of mobile applications that are on the Android store for example. If you compile these applications, you're going to realize that there are a lot of secrets inside that give access to the cloud infrastructure, for example, which is used to host your data.
So we have to be careful about all that. Are you looking to work also with other vendors that could be complementary to your solution?
6:22 Jeremy Thomas
Usually, we are one component of a larger overall application security strategy. When an organization is trying to secure their source code they will look at solutions to detect logic errors in code, or detect vulnerabilities in open source dependencies. These are different but complementary solutions. GitGuardian focuses on a third type of vulnerability which is the detection of secrets. As such we work with a whole ecosystem of companies that complement each other. Application security is an extremely dynamic industry and a lot of new players have emerged that focus on one specific vertical.
So, just a last word. As I mentioned you won the first prize of the FIC (International Cybersecurity Forum) 2021 cybersecurity start-up of the year. Another winner in previous years was Alsid who was just acquired by an American company. Are you going to stay French? Of course you can never say never because it depends on the opportunities. Considering your clients are mostly American and you have a global focus, how do you feel about this?
7:29 Jeremy Thomas
I would like to take this opportunity to point out that there is Alsid which announced its acquisition last week. But at the same time, you had Sqreen, which was also a FIC winner in previous years, and it has also been acquired by an American company. Indeed, I think that France has a very important role to play in this on two levels in terms of investment. So, it is a question of being able to be a European company on the American market because today, we know that to be world leader, the United States is a mandatory step. This has been our strategy since the creation of the company. The second extremely important aspect is that large European companies manage to buy software that is developed by start-ups. And we have realized that American accounts are faster to buy our products than European accounts have been.
You did well to point out that Sqreen was also acquired. A little bit of nationalism, because Alsid was acquired by Tenable, which was founded by a Frenchman. Even if he lives in the United-States for quite a few years. And Sqreen joined Datadog which had a French founder also, even if now they are very American, but here we are, all the same. We can see that we have solid skills in the field. Are you going to be recruiting?
8:53 Jeremy Thomas Yes GitGuardian is recruiting. Go and see our job openings on our website.
Thank you for being with us. Jeremy Thomas, co-founder and president of GitGuardian. Congratulations for winning the FIC award. We'll have the opportunity to talk about it again as the FIC - Cyber Security Forum - will be in Lille on June 8, 9, 10.
If all goes well, let's hope we can all meet there again. Have a great week on BFM business.