Danny, the Chief Information and Security Officer at a healthcare tech company, and his team have been using both GitGuardian Internal Monitoring and GitGuardian Public Monitoring as a safety net. IT Central Station has interviewed him about how GitGuardian is used within his company and wrote an objective and detailed review.
In this interview he shares how the solutions have helped his organization.
It provides a nice safety mechanism, giving us some assurance that if something got forgotten along the way, we are notified before we make it a part of our codebase.
Danny explains how the solution has increased productivity of the security team but also reduced drastically the remediation time.
Letting the authors solve their own problems before they get to the reviewer has significantly improved visibility and reduced the remediation time from multiple days to minutes or hours. Given how time-consuming code reviews can be, it saves some of our more scarce resources. There is easily a 30-hour improvement on time to remediation, which is about an 85 percent improvement.
Concerning the secrets detection topic and the priority if should have in a appsec program, he has a strong opinion:
If a colleague at another company said to me that secrets detection is not a priority, I would ask what is more of a priority, and then I would point to a quick Google search with a myriad of issues and data breaches that have happened from leaked secrets. Secrets detection is extremely important to a security program for application development, especially on a team of people with various experience levels. Having something automated always improves things. Having that detection on top of any of your manual processes adds an extra layer of safety.
When it comes to the solution stability, scalability and ease of deployment, he is rather positive.
It seems really stable. Searches and integration are fast, and we get a response back almost immediately when making pull requests.
There hasn't been an overabundance of false positives. It is intelligent enough to surface the right information without overwhelming us.
The initial setup was very straightforward. The deployment time was five minutes. It was the easiest integration I've ever done. Its ease of integration showed the maturity of the product or their focus in getting that process right.
And here is his advice!
I would advise others to give it a try. It is easy enough to integrate with your process, and you'll see the value right away, with a couple of quick test scenarios. Once you see it in action, it sells itself.
So try it today! And remember if you are an individual developer or part of a small team, it is free!
Sign up to GitGuardian with GitHub