Code security vendor GitGuardian announced on Dec. 7 that it has raised $44 million in a Series B round of funding to help grow its DevSecOps technology and go-to-market efforts.
GitGuardian was founded in 2017 with the goal of helping developers identify potential risks in public Git code repositories such as GitHub. The focus to date for GitGuardian has largely been around identifying what are commonly referred to as “secrets,” which include passwords and access credentials for services.
"In the beginning, it was a game for us. GitHub is open by design, which means that we had access to huge amounts of data and we found some data that maybe shouldn't be published," Jérémy Thomas, founder and CEO of GitGuardian, told ITPro Today. "Our company started because we found secrets and sensitive information leakage literally worth tens of billions of dollars in potential damage involving government organizations and companies around the world."
GitGuardian’s Code Security DevSecOps Services
GitGuardian provides several services, including scanning of both public and private Git code repositories. The company sends out an average of 3,600 emails a day alerting public code repository administrators about potential exposure to secrets, according to Thomas.
For its commercial efforts, GitGuardian integrates with GitHub, GitLab and Atlassian's BitBucket code repositories to provide a broader view into the DevSecOps and software development lifecycle.
Looking ahead to 2022, Thomas said an area of focus will be security misconfigurations in infrastructure-as-code technologies. With infrastructure-as-code technologies, which include HashiCorp's Terraform and AWS CloudFormation, configuration for cloud application deployment is defined programmatically. Git is also increasingly being used in GitOps operations where configuration for infrastructure is defined in a code repository.
In addition, GitGuardian is getting into Static Application Security Testing (SAST) to detect programming logic errors that can lead to application vulnerabilities.
DevSecOps Is About Development and Operations
The GitGuardian approach involves scanning code on developer systems during the development phase, as well as checking application code once it's in operation.
"You must think of security remediation today as a collaboration between development, security and CloudOps teams," Thomas said. "Previously, security was kind of a bottleneck at the end of the software development lifecycle, and today it is addressed continuously throughout the software development lifecycle."
Security today is a shared responsibility across teams, and each also needs the right view to be able to manage and take action on potential risks, he added. Security teams, for example, get a centralized view of all vulnerabilities with GitGuardian, while developers can get a command-line view.
"The idea is to live where the developer lives and then provide the security teams with a centralized dashboard," Thomas said.