Vulnerability Management

GitGuardian’s Honeytoken aims to detect intruders in the software supply chain

Secrets are pervasive in codebases and can be spread throughout different data sources. The trick, of course, is to find them so you can remediate before an attack occurs.

Code and software supply chain security company GitGuardian “finds the secrets and also suggests the fix,” with a secret detection engine that has “a low false positive rate and high recall to catch every type of secrets,” said CEO and co-founder Eric Fourrier, who spoke at RSA with Adrian Sanabria, a host of Security Software Weekly.

GitGuardian scans public GitHub repositories for credential leaks and finds thousands every day. When secrets are left in source code, Jira tickets, and Slack threads, hackers have the freedom to move around your infrastructure, Fourrier said. GitGuardian not only finds secrets but helps with the remediation process, which is time-consuming, he noted.

The role of honeytokens

If an attacker succeeds in gaining access to your code, Fourrier said, they can move laterally and take control of your databases in any of your cloud or other infrastructure resources. The goal of the Honeytoken module is to secure the software supply chain. “We have seen with different attacks [where an attacker] can hijack a production session from an engineer to get access to source code’’ from a third-party supply chain provider, Fourrier said.

With the Honeytoken module, you can learn when, how, and what kind of resources the attacker is getting access to. Honeytoken can determine valuable indicators of compromise like the IP address, the location of a breach, and the specific time and when the attacker triggered the token, he said.

“What we bring to the table is this idea of fingerprinting each IP resource with honeytokens,’’ Fourrier said. “We recommend deploying each honeytoken in a unique place to identify the compromised asset when an attacker trips over a honeytoken. This will trigger an alert to security and SOC teams."

In addition to repositories, self-hosted and managed DevOps tools, developer workstations, honeytokens can also be placed in SaaS providers so you can see if they’ve been breached as well. You can also be alerted about the leaks of your honeytokens on public-facing code repositories, he said.

Keep employees in the loop

Sanabria questioned how to ensure it catches the attacker without your own employees triggering an alert. Fourrier said developer teams have to be educated about how Honeytoken works to avoid false positives. They should also empower developers with easy honeytoken creation and deployment.

GitGuardian has this new module embedded in its platform and people can get some Honeytokens to use for free during the beta period because the company is looking for “massive product feedback to improve the product,” Fourrier said.

Protecting third-party providers

The company’s SaaS-Sentinel product was designed earlier this year to be a “SaaS watchtower” that plants honeytokens among the most used SaaS providers, then monitors and flags when a tool may be under attack that could lead to a software supply chain breach.

To minimize false alerts and increase the reliability of the signal, the product has a number of validation steps before it sends out an alert. Subscription to SaaS Sentinel is free.

To learn more about how Honeytoken works, schedule a demo.

By Esther Shein

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.