A few weeks ago, we had the pleasure of exchanging with Ezequiel Rabinovich, Lemontech's CTO, about how his teams use GitGuardian to protect their repositories. Lemontech is a company developing software for the legal industry based in Santiago, Chile. It serves more than 1,300 customers in Latin America.
Ezequiel supervises a team of about 30 developers and 4 DevOps engineers for approximately 150 employees. They use GitHub for source control management, and their organization has 350 repos, 130 of which are active.
The Story
As it's the case for the vast majority of the 2.5K developers joining GitGuardian every week, it all started with an accident:
"A few years ago, a Lemontech employee accidentally published his AWS API Key on GitHub. Although it was an isolated account used for interviewing candidates, without any connection to our software, a bot immediately spawned a crypto-mining fleet with the key. This event made us realize how probable secrets leaks are, and that we needed a solution to prevent them right away."
Looking for a solution to prevent hard-coded secrets, Lemontech's engineers quickly decided to give GitGuardian a try, thanks to its one-click integration with leading developer platforms like GitHub, GitLab, BitBucket, or Azure Repos.
Fast forward to today, they have scaled up their security processes and use GitGuardian to implement an AppSec shared responsibility model:
“We have security engineers overseeing policies and processes, but security is a shared responsibility and everyone involved is held accountable.”
“Recently, security became more integrated into our workflows; this has been a major change, and last year we became ISO27001 certified, a milestone achievement.”
GitGuardian is also part of the training program:
“GitGuardian has been a really good training tool. We have a training program for new entry-level developers to help them learn the ropes in a controlled environment: if they happen to leak a secret, they are guided through the platform to rotate the credentials.”
Ezequiel then detailed how Lemontech integrates secrets scanning in their software development workflow.
What is Lemontech's Strategy to Bake Security In?
Lemontech implements secrets scanning at the pull request (PR) level. GitGuardian native integration keeps engineers focused and doesn't require them to leave the GitHub interface to manage incidents. Here is an example of a PR that failed to pass a security check:
Ensuring that no secrets fall into the cracks of code reviews is an essential prevention measure to stop secrets sprawl and ensure revoking and rotating affected credentials is easier for Ops and Security teams.
Secrets scanning can also shift left toward the developer for even greater security:
“We encourage developers to install pre-commit hooks on their workstations, and some use them.”
For customer-facing applications, Ezequiel emphasizes that making sure the history is cleaned of any hard-coded secrets is mandatory:
“We use historical analysis for customer-facing apps. For the ISO27001 certification, it was useful to rapidly know the status of a repository. Overall, it allows us to focus on what could be a risk.”
When a leak is detected, a Slack notification is sent:
“At the beginning, we had about one alert every two weeks. We were not paying so much attention, and the time to take action was long. Now we’re much more responsive because we know that if we see a notification, there’s really something going on. The good news is that now it’s more likely to be months without any notification!”
What ROI Have You Seen?
When asked about ROI, here is what Ezequiel told us:
“There is so little time involved to get GitGuardian going, it's a no-brainer: I've definitely seen ROI from the product. For me the best part is that if something happened, we would know it. Peace of mind is amazing!”
Then he explained that GitGuardian helps build a blameless and effective security culture in the company:
“It brings a true security culture. It helps everyone be aware of potential security problems. Most of my teammates have accidentally committed something they shouldn’t at some point—it happens to everyone. I think it really helps make the team better.”
Regarding the security posture, "the trend is obvious" for him: hard-coded secrets in commits have been drastically reduced.
Although Lemontech repositories are private and leaks would be contained, he knows that some high-privilege secrets already happened: "it's good to know GitGuardian has your back; it is an essential last line of defense in any software supply chain."