GitGuardian Extends Reach to Manage Non-Human Identities – Source: securityboulevard.com

GitGuardian today extended the reach of its ability to manage applications secrets into the realm of non-human identities (NHI) associated with machines and software components.

The GitGuardian NHI security platform enables cybersecurity teams to discover where these secrets are being stored, and then enforce policies such as rotation to ensure adherence to best practices.

Carole Winquist, chief marketing officer for GitGuardian, said this latest offering extends the capabilities of a set of secrets management tools that the company currently provides to software developers who need to track where the secrets used to access applications are stored. That capability in addition to identifying secrets that are no longer being used also surfaces secrets that are overprovisioned or may have been compromised, she added.

The challenge organizations are now encountering is that the number of NHI secrets associated with machines and software components far exceeds the number of secrets that humans rely on to securely access applications, noted Winquist.

Those secrets can now be discovered regardless of where they are stored, including with secret vaults provided by HashiCorp, CyberArk, Amazon Web Services (AWS), Google and Microsoft. That capability is critical because many organizations are now storing secrets in multiple vault managers, said Winquist.

Going forward, GitGuardian also revealed today that it plans to add additional automation, hygiene analytics, and enhanced incident response tools to the platform.

It’s not clear, however, how many of those secrets wind up being stored in one of those vaults. In reality, secrets are scattered across codebases, DevOps pipelines and productivity tools such as spreadsheets and messaging platforms.

In an era where audits are being conducted more thoroughly, that tendency to store secrets in plain text using applications that cybercriminals might gain access to via a phishing attack creates a lot of potential exposure to potential penalties that might be levied by any number of regulatory bodies, noted Winquist.

In theory, application development teams have been embracing best DevSecOps practices to better secure secrets. A Techstrong Research survey, however, finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices. As a consequence, it generally falls to cybersecurity teams to discover where secrets may have inadvertently been stored in a way that creates an opportunity for cybercriminals to wreak havoc.

Ultimately, more stringent regulations such as the Digital Operational Resilience Act (DORA) will force the secrets management issue. As more organizations become financially liable for how application environments are secured, tolerance for sloppy management of application secrets will rapidly decline.

In the meantime, organizations of all sizes should at the very least have an inventory of their secrets, including those attached to machines that when compromised can provide lateral access to the rest of a distributed application environment. After all, most cybercriminals are not going to go to the trouble of creating and maintaining advanced malware when the secrets that provide access to the entire IT kingdom are readily available to anyone who cares to make the trivial effort.