DevOps orchestration platform provider Opsera has announced the launch of GitCustodian, a new Software-as-a-Service (SaaS) product that detects and reports vulnerable data in code repositories including Gitlab, Github, and Bitbucket.

GitCustodian scans the code repositories for vulnerable data and alerts security and DevOps teams so that they can prevent vulnerabilities from leaking into production, protecting software development pipelines. Once vulnerabilities are found, the solution automates the remediation process for any uncovered secrets or other sensitive artifacts, Opsera says.

The release comes at a time of heightened awareness around data leaks in source code repositories. In April, GitHub revealed that attackers had used stolen authorization tokens to download private data stored on the platform.

GitCustodian provides “proactive visibility”

Opsera notes that many software developers unknowingly keep sensitive data (e.g., passwords, certificates, keys) in source code repositories, which, if pushed to production, is at risk of being exposed to cyber attackers. GitCustodian was designed to provide proactive visibility into vulnerable data in source code repositories and help security and DevOps teams address it early in the continuous delivery/continuous integration (CI/CD) process, the company says. Teams receive a centralized snapshot of any vulnerable secrets and other sensitive artifacts at risk across version control systems. According to Opsera, GitCustodian’s  key features and benefits include:

  • Secrets detection based on multiple algorithms and industry-standard profiles.
  • Source code repository scanning.
  • Ability to add proactive secrets governance to existing CI/CD workflows.
  • Secure storage for secrets and keys via a built-in vault.
  • Collaboration enablement that notifies impacted teams.
  • Insights and analytics with actionable insights and compliance reporting.

Speaking to CSO, Kumar Chivukula, Co-Founder and CTO of Opsera, explains that GitCustodian works in three main ways. “One, GitCustodian helps companies scan their source code management (SCMs) for catching and watching secrets with a dashboard tracking the violators and highlighting the source of the problem. Two, whether you use an Opsera or existing pipeline, you can add a guardrail to scan the pipeline for secrets before the pipeline continues. Most enterprises need to have an option to catch secrets before they deploy into production or a customer environment. Three, when a secret is exposed, we give you the option to add secrets into our built-in Vault, directly allowing you to add secrets in a vault as a parameter and not disclose them in plain text.”

GitCustodian is available for existing and new customers, with pricing based on the number of repos and number of users.

All software vulnerabilities lead back to insecure code

Industry analysts recognize the security risks and complexities surrounding source code, along with the need for modern businesses to implement effective strategies for detecting and managing source code vulnerabilities. “The way all software vulnerabilities make their way into the world is through source code,” Fernando Montenegro, Senior Principal Analyst at Omdia, tells CSO. “The possible issues with vulnerable code in production run the gamut from simple denial of service through to full-blown data breaches. The moment vulnerable software is exposed in production, it creates not only a new attack surface for a potential attacker, but adds to the “technical debt” that organizations accumulate over time.” The impact can be significant for companies, up to and including public disclosures and regulatory fallout such as fines, he adds.

“Making efforts to remove vulnerabilities before they leak into production should be extremely high on any security executive’s priority list,” Montenegro says. Janet Worthington, Senior Analyst at Forrester agrees. “To ensure that code deployed to production is secure, organizations must make use of security scanning tools that look for security weakness in the source code and known vulnerabilities in the open source and third-party libraires that developers pack into their applications,” she tells CSO. “Integrating and automating security scanning tools as part of your CI/CD pipeline provides developers with feedback while the code is still fresh in their mind.” This has taken on greater significance since the outbreak of the COVID-19 pandemic and mass adoption of digital transformation, adds Omdia Senior Principal Analyst Rik Turner. “The rate at which development teams are pushing code into production has accelerated and will continue to do so,” he tells CSO. “With one of the foundations of the agile development process being the reusable componentry that was pioneered by the service-orientated architecture revolution, ever more pre-written and freely available open-source components are being included in the apps developers are writing, so if they come with vulnerabilities, they’re going straight into the apps too.”