As we announced earlier today, Nightfall is thrilled to team up with Snyk to provide a state-of-the-art security solution for developers working in every phase of the code-to-cloud lifecycle. But that’s just the “What”—now let’s dive into the “Why” and the “How.”
Why is it so important to scan for secrets?
Businesses continue to migrate to the cloud in droves—but so do threat actors. In 2023, 82% of data breaches involved data that was stored in the cloud. Why? Because threat actors are taking advantage of business’ rapidly expanding attack surfaces caused by data sprawl.
Once sensitive data makes its way into SaaS or generative AI (GenAI) apps, it tends to proliferate rapidly. To give you a better idea of the extent of this sprawl, Nightfall detects over 15,000 instances of leaked sensitive data per day. This wildly pervasive problem opens businesses up to an increased risk of supply chain attacks, privilege escalation attacks, and ransomware attacks—that is, unless they detect and remediate their leaked data as quickly as possible.
Every employee—not just security teams—have a part to play in stopping the sprawl and keeping their business’ data safe. However, developers have a bit more of an outsized role as they have privileged access to databases, production systems, and source code using secrets like API keys and other valuable credentials.
While GitHub may be the first app that comes to mind in terms of exposed API keys, it’s also important to keep a lookout in apps like Slack and Teams, as it’s easy for developers to copy and paste credentials into messages and cloud workspaces. In fact, for every active key that Nightfall finds in GitHub, we find another 5 in Jira.
Containing secrets sprawl may seem like an insurmountable task at times, especially with the lack of accurate, cloud-friendly security solutions. For instance, many legacy solutions rely on manual regexes, which result in an overwhelming number of false positive alerts (or, even worse, false negatives). This not only drains security teams’ resources—it also causes a rift between security teams and other employees, which makes it more difficult to build a strong culture of security.
So what’s a SecDevOps team to do? This is where Snyk and Nightfall come in.
How are Snyk and Nightfall working together for top-notch secrets scanning?
Snyk offers a comprehensive approach to developer security via Static Application Security Testing (SAST), Application Security Posture Management (ASPM), and more. As a leading developer security provider, Snyk has an “app-centric approach” to scanning and suggesting fixes for Common Vulnerabilities and Exposures (CVEs) in code, including in third-party libraries and app management tools. Snyk’s tools also come in handy for scanning for vulnerabilities in AI-generated code.
Given the increasing risk of exposed secrets in the cloud, Snyk tapped Nightfall to provide a critical feature for developer security: Advanced secrets scanning. Nightfall’s AI-powered secrets scanning technology amplifies Snyk’s offerings by helping developers to detect and remediate secrets across the apps that developers use at every stage of the code-to-cloud lifecycle.
How does Nightfall use AI to scan for secrets?
Now that we’ve addressed the risks of leaked secrets in code, SaaS apps, and GenAI tools, it’s clear that businesses have to act quickly to stop the sprawl. This not only means identifying leaked secrets—it also means educating developers and other employees about company policies and best practices to create an enduring culture of security. Nightfall is accomplishing both of these crucial tasks by deploying the industry’s most advanced AI detectors and reimagining the data remediation process for developers.
Nightfall’s detectors use neural network embeddings to pinpoint leaked secrets such as hundreds of kinds of API keys, cryptographic keys, database connection strings, Google Cloud platform credentials, passwords written in code, and more—all right out of the box.
Whenever a secret is detected, Nightfall has several measures in place to help teams navigate their findings and remediate high priority alerts more quickly. At a glance, Nightfall’s detectors can:
- Understand the context surrounding each potential violation to more accurately identify secrets—and cut down on false positive alerts.
- Be tuned to detect secrets with specified confidence levels, depending on any given business’ risk tolerance.
- Determine whether an API key is active, expired, or unverified. This helps teams to prioritize the most pressing risks first.
Let’s go back to our example with the developer who shared an API key over GitHub. Once an API key is committed, Nightfall’s detectors will send an automated alert to both the business’ security analyst as well as the developer who caused the policy violation. These alerts can be sent via Slack, email, or Jira ticket. If, as a developer, you receive this alert as a ticket in Jira, you’ll be able to see:
- A custom message from your security team explaining how your latest commit violated the business’ policy against sharing API keys.
- Unredacted data and other useful metadata to understand the specific context surrounding the leaked API key.
After receiving this alert, you’d have all the knowledge you’d need to rotate the leaked API key, remove it from your next commit, and create a new key for future use. This method of remediation offers three overarching benefits:
- Developers can learn how to protect company secrets in hyper-specific, real-world security scenarios.
- Developers’ workflows aren’t impacted by active API keys being automatically redacted or removed without their knowledge.
- Security teams can minimize friction with developers, which is the building block to an overall healthier culture of security.
Can’t wait to get started?
If you’d like to learn more about how Nightfall and Snyk can help you stop the sprawl of secrets in GitHub and beyond, you can sign up for a free risk assessment or schedule a demo with one of our product specialists today.