Talend’s deployment of GitGuardian Public Monitoring is protecting Talend from secrets exposure both on its company repositories and on its developers’ personal repositories.
“Human error exists, but the key is to be alerted and be able to take appropriate action when a leak is found,” said Anne Hardy, Talend CISO.
Talend is a global leader in data integration and data integrity solutions and a pioneer in the open-source world. Talend was the first company to market open-source data integration software. As a result of this ‘open-source DNA’, Talend uses GitHub.com extensively to collaborate and share code with the community.
When Talend CISO, Anne Hardy, joined the company in 2020, she quickly identified that there was an issue relating to infrastructure credentials and other secrets leaking through GitHub.
“When I arrived, I heard about quite a few issues with GitHub, including leaks of private information, keys, passwords that could be unintentionally stored and publicly exposed on GitHub by our developers or some of our professional services. We absolutely had to deal with the problem quickly,” said Hardy.
Talend had already tried to remedy this problem by developing an in-house tool. This complex project quickly exposed the limitations of building effective in-house detection solutions. The solution not only had some flaws but also proved to be both challenging and expensive to maintain. Additionally (and crucially), it couldn’t identify and monitor developers’ public personal repositories.
“This is a recurring limitation but also a recurring blind spot most companies do not bear in mind. We often hear ‘I am not open sourcing so why should I care about public GitHub?’, the issue is that secrets sprawling occurs most of the time on developers’ personal repositories,” said Henri Hubert, Head of GitGuardian Secrets Team.
It was at this point that Talend decided to look for a ready-made solution available on the market. The desired solution needed to allow for active monitoring of all its GitHub code repositories as well as the public personal code repositories of its developers.
Hardy said: “We started by looking at open-source solutions but they did not meet our expectations. In particular, it was necessary to declare all the directories to be monitored, which represented a substantial workload.”
Indeed, it is tricky to identify personal repositories belonging to developers, especially when dealing with large teams. Automating this process was the only feasible way forward.
Hardy added: “Then we discovered the GitGuardian solution and analysts confirmed that it was a solid solution and suited our needs.
“Once we decided to deploy GitGuardian’s GitHub public monitoring solution, the ramp-up was rapid. As soon as we had access to the platform, we were able to start remediating past incidents.”
In parallel with the deployment of the solution, a procedure was put in place to treat this type of leak, and all 400 developers were trained on secrets management.
Hardy said: “What I have found to be very effective with GitGuardian is that we can analyze the history of Talend-related alerts on the entire GitHub perimeter, whether they are our official public directories or any public directory outside the control of Talend.
“We launched this audit and several leaked secrets were brought to our attention. What was very interesting and what we didn’t anticipate was that most of the alerts came from the personal code repositories of our developers.”
Hubert said: “This is what our constant monitoring of every single commit pushed to public GitHub unveils: 85% of the leaks occur on developers’ personal repositories. Secrets present in all these repositories can be either personal or corporate and this is where the risk lies for organizations as some of their corporate secrets are exposed publicly through their current or former developer’s personal repositories.”
Talend’s first priority after taking ownership of the solution was to go through the list of historical incidents and enact the new procedure. This allowed them to start on a sound basis and rely on GitGuardian’s real-time alerting going forward.
Hardy said: “It took us three months to clean everything up and solve problems especially with employees who had left the company.”
Today, GitGuardian continuously monitors all commits within Talend’s perimeter, whether on Talend-owned repositories or developers’ personal repos. Credentials are detected a couple of seconds after they become publicly-visible and then listed on the dashboard along with information that will facilitate remediation.
“This real-time alerting is a key element for companies security, as we know that an exposed secret can be identified and used by hackers very quickly. Most of open-source secrets detection solutions do not offer this real time alerting capacity,” said Hubert.
Talend has deployed GitGuardian for the Infosec team. They will also extend it to their team of security champions, developers who will act as an extension to the Infosec team and encourage best practices.
“At GitGuardian we believe that putting ‘developers in the loop’ is key to address code security as developers own the code, they have the knowledge and are central in the remediation process,” said Hubert.
Click below to share this article