How a Large Healthcare Company Slashed Their Secrets Incidents by Half

Disclaimer: This blog post is a translation of an interview published in LeMagIT.

Doctolib, one of Europe's largest tech healthcare companies, is constantly broadening its suite of applications for healthcare professionals, offering tools that handle highly sensitive data. With a workforce of 2,900, Doctolib's patient-facing website is just a tiny part of its services. Their platform provides healthcare professionals with everything from appointment scheduling and consultation note-taking to patient file management. For them, security is critical—especially when it comes to managing secrets like certificates and passwords during development.

Among its 800 Tech & Product division employees, 20 are dedicated to cybersecurity. Two years ago, the cybersecurity team looked hard at how to safeguard secrets to ensure they stayed secure. "We wanted to ensure our secrets were not exposed," explains Tanguy Segarra, Doctolib's Blue Team Tech Lead.

This meant preventing them from being hardcoded and keeping them in a secure tool.

While Doctolib's code repositories are private, the risk of secret exposure—similar to high-profile incidents that have affected other tech companies—was not one they could afford to take.

Early challenges

Initially, the team turned to Yelp's open-source Detect-Secrets tool for scanning code and identifying exposed secrets. However, this manual process proved unsustainable. It required extensive code scanning, issue flagging, and developer coordination.

"It was a tedious process," Segarra admits.

We had to thoroughly scan the code and systematically reach out to the developers. Our role felt unrewarding; We felt like mere intermediaries, and the effort far outweighed the benefits. We needed automation to free up our resources.

Automating Secrets Detection with GitGuardian

Though Doctolib had implemented HashiCorp's Vault for secure secret storage, they recognized that a vault couldn't prevent hardcoded secrets. In their search for a best-in-class solution to automate secrets detection, they chose GitGuardian.

However, introducing new tools into developer workflows can be tricky. "Developers often perceive security tools as an added constraint that negatively affects their efficiency," says Segarra.

We wanted to avoid disrupting their workflow while establishing a framework that promotes security best practices, including regular secret rotation.

Phased Rollout and Immediate Results

To ensure successful adoption, Doctolib implemented GitGuardian methodically. "Our goal was to improve secrets hygiene across our codebases," says Segarra. "We started gradually, allowing some exceptions initially." The team began with a pilot program involving 50 developers working on major codebases, focusing first on education and core features while encouraging organic adoption.

During this pilot phase, the team tested and fine-tuned validation and severity rules, prioritizing the protection of critical secrets in cloud-based environments. We quickly identified and prioritized our most severe issues—about 50 incidents requiring immediate attention," Segarra notes.

Before GitGuardian, prioritization was a struggle. Now we can address critical issues immediately.

Full-Scale Deployment

Following the success of the pilot program, the rollout expanded to include all teams and repositories in September 2023. GitGuardian now monitors all Doctolib code in real-time. Segarra stated, "We rely on automatic incident categorization and ticket generation through GitGuardian, allowing our technical teams to implement corrective measures as quickly as possible."

Doctolib immediately assessed the impact of GitGuardian: from 2019 to 2023, the number of security incidents rose from 130 to a peak of 2,200 as Doctolib scaled its services. After deploying GitGuardian, incidents were cut by more than half, and the trend is expected to improve further in 2024.

A Winning Combination

According to Segarra, the combination of HashiCorp Vault for secure storage and GitGuardian for automated secrets detection has been a game-changer. It enabled Doctolib to improve security without creating friction for developers. The result? A streamlined process that protects sensitive data while supporting the team's productivity.

Take the Next Step in Securing Your Codebase

Doctolib's success in cutting secrets incidents by more than half shows how combining the right tools with a developer-friendly approach can transform your security posture.

Protect your sensitive data today, and let your developers focus on building, not firefighting. Book a demo and see how GitGuardian can help your team protect their codebase without disrupting productivity.