DevSecOps and Secrets Management – why we invested in GitGuardian

The speed at which software is developed today is remarkable. Two key trends have enabled this new age.

First, collaborative work methods that allow large, distributed teams to work efficiently and, second, a rich universe of software services that abstract operational complexity away from application developers.

Today, it is entirely normal for a team of 40 in a large company to work on a project despite being in eight locations. They share code through GitHub, they use internal Wikis to leave a trail of documentation, they Slack and email each other to be synchronised on the details. And, when they code, they focus on the business logic of their application and not get bogged down in implementation detail. Need telephony? Just hook up Twilio. Need complex Content schema? Just dump stuff in Contentful. And, perhaps most fundamentally, need a bigger boat? Just dynamically instantiate more space on AWS with a single line of code.

In short, these two trends reduce friction. What used to be a monolithic effort, requiring top-down coordination and the assembly of experts has become rapid, modular, distributed.

But with the connectivity that reduces friction comes the need for additional security...

If your developers are using ten external services, you need to know where your customer data actually lives and make sure it is appropriately secured. For each service, you must carefully authenticate so it behaves only in ways you dictate. The units of currency that makes this complex web of connections work are known as 'secrets'. 

Secrets are the user IDs and passwords used by developers to manage cloud services, secrets are the customer records that get shuttled around the web, secrets are the access codes that control access to your infrastructure. If a bad actor gets access to your secrets, they don’t just access your company and your data, they access your customers’ data, they gain access to your system and can pose as your organisation and act in any way they see fit, instantly and anywhere in the world.

And, of course, it turns out that in the high-velocity reality of modern software development, mistakes happen and secrets get leaked. Every day, thousands of developers upload code into public GitHub repositories that happen to contain private credentials. Every day, thousands of developers Slack or email a password for an internal system, forgetting that their server might have been breached. Every day, thousands of developers write a helpful wiki or readme.txt file that contains infrastructure details that a disgruntled employee can walk off with on a USB stick.

GitGuardian co-founders, Jérémy Thomas and Eric Fourrier

GitGuardian has been thinking about this problem for the past two years

After stumbling on the issue, the company’s co-founders, Jérémy and Eric, built a unique engine that recognises secrets and generates a notification every time one is seen somewhere it shouldn’t be.  The first, public project they launched around this technology was GitGuardian. GitGuardian monitors public GitHub and, every time it spots a secret, emails the appropriate developer notifying them of their potential leak.

What started as an interesting project became a lot more when they realised the sheer scale of the problem. Yes, many leaks are relatively harmless - small side projects that might leak a personal AWS account. However, it turns out that there are also huge ones. Ecommerce leaks that would allow a hacker access to millions of customer records. Corporate leaks that could generate tens of millions of dollars in losses, regulatory fines and litigation settlement. Even government leaks that could literally threaten national safety.

Despite stumbling on so obvious a problem and building a solution, the path has not been easy for Eric and Jérémy. While their service quickly got adoption from end developers — 34,000 from thousands of companies use it today for free — they soon discovered that potential customers were often afraid of engaging in case their leaks became public. Rather than using technology to monitor and fix the problem, they tried ignoring the problem, shutting down conversations, worried about publicity, blackmail and more.

Over the last year, the team has learned to harness that negativity and turn it positive. A number of leading technology companies, run by the most highly thought of technical leadership teams have realised that this problem is here to stay. Cumbersome security processes will always fail to catch every corner case when the pressure is on to build faster and collaborate more freely. 

A system like GitGuardian’s that can monitor both public and private repositories, messaging systems and development processes means that you have instant, always-on insurance that any slip will be quickly detected and fixed. The team have gone from awkward silences to selling multi-year contracts to large US corporations, all from a small office in Paris.

GitGuardian gives you instant, always-on insurance that any slip will be quickly detected and fixed.

Sometimes venture is a blindfolded treasure hunt

Sometimes venture investment is like public market investing. You build conviction around a thesis, you trawl through every company working on the problem and find one that is aligned with your view and would like to work with an investor. At other times, it’s more of a blindfolded treasure hunt. This was the case here. Towards the end of a long trip in Paris, after three days and about twenty meetings, I remember walking in to meet Jérémy and Eric for the first time. I had no idea what GitGuardian did until I walked into that room and I remember my skin pricking as they detailed the reality and scale of the problem they were tackling. It was one of those moments when the whole thing is blindingly obvious and you can only wonder why others have not already done this.

The answer to that, it turns out, is that secrets are actually super hard to model and spot. Solving that problem took the team years of effort and innovation, but now they have that key, I am very excited about the scale of the impact they can have.

You can read more about the fundraise here

Stay in touch with Balderton

Sign up for our newsletter to stay up to date on news from Balderton, and our portfolio.