Brian Vallelunga

Yep. That's awesome. We are. If there is a Doppler token, a Doppler-issued token found on GitHub, GitHub will contact us immediately. We'll immediately revoke the token, notify you, and work with you to generate a new token. And we're going to be investing next year pretty aggressively in the secret scanning space as well. Like really having a full auto picture there.

Yep. That's awesome. We are. If there is a Doppler token, a Doppler-issued token found on GitHub, GitHub will contact us immediately. We'll immediately revoke the token, notify you, and work with you to generate a new token. And we're going to be investing next year pretty aggressively in the secret scanning space as well. Like really having a full auto picture there.

Like I'd love to be able to say, hey, we found some secrets in your code. We've automatically revoked them, issued new ones. And those new secrets are now not in your code anymore. Like some really powerful workflows like that can just make sure that even though the tooling is set up so that you'd want to use it, if you actually don't use it and you fall back to bad habits, the system catches you.

Like I'd love to be able to say, hey, we found some secrets in your code. We've automatically revoked them, issued new ones. And those new secrets are now not in your code anymore. Like some really powerful workflows like that can just make sure that even though the tooling is set up so that you'd want to use it, if you actually don't use it and you fall back to bad habits, the system catches you.

Detection ahead of the breach, at least in the secret space, is almost zero from my understanding right now. There isn't a class of tooling yet for that. But on the scanning side, there's TruffleHawk, there's GitGuardian. GitHub is adding some stuff too. There is a space developing right now where basically you can scan. The goal is to scan the perimeter of your infrastructure, right?

Detection ahead of the breach, at least in the secret space, is almost zero from my understanding right now. There isn't a class of tooling yet for that. But on the scanning side, there's TruffleHawk, there's GitGuardian. GitHub is adding some stuff too. There is a space developing right now where basically you can scan. The goal is to scan the perimeter of your infrastructure, right?

So like Slack, Microsoft Teams, email, your code base.

So like Slack, Microsoft Teams, email, your code base.

all of that infrastructure um basically will be scanned in real time for for secrets um that's basically the extent of what we have today the problem is like you have to connect those dots right so like you found a secret what do you do next right especially if you're like an individual developer you don't control the secrets manager that's being used you don't control

all of that infrastructure um basically will be scanned in real time for for secrets um that's basically the extent of what we have today the problem is like you have to connect those dots right so like you found a secret what do you do next right especially if you're like an individual developer you don't control the secrets manager that's being used you don't control

Or if they're not using a secrets manager, what the flow is. And so like if you're in, if you like a classic example that I hear all the time is, oh, we added a secret scanner and the secret scanner found all of our ENV files. But the company has decided we use ENV files.

Or if they're not using a secrets manager, what the flow is. And so like if you're in, if you like a classic example that I hear all the time is, oh, we added a secret scanner and the secret scanner found all of our ENV files. But the company has decided we use ENV files.

So like now it's a moot point because we know we've always known secrets were in code because they're in ENV files, but there's nothing to get us to the next step of like getting it out of code. So now all you're doing is surfacing a problem that we can't solve. So I think that's really where like we're trying to help move the industry is connecting the dots.

So like now it's a moot point because we know we've always known secrets were in code because they're in ENV files, but there's nothing to get us to the next step of like getting it out of code. So now all you're doing is surfacing a problem that we can't solve. So I think that's really where like we're trying to help move the industry is connecting the dots.

You found a secret and you can immediately take an action or an action is taken on your behalf based on a policy to clean up the mess.

You found a secret and you can immediately take an action or an action is taken on your behalf based on a policy to clean up the mess.

Yeah, we have a couple blog posts that highlight basic secrets management practices. Outside of the stuff I already shared today around working with his cloud provider, I would strongly recommend having a secret scanner. So TruffleHogsfree, use it. It's open source. Or GitGuardian, both are partners of ours.

Yeah, we have a couple blog posts that highlight basic secrets management practices. Outside of the stuff I already shared today around working with his cloud provider, I would strongly recommend having a secret scanner. So TruffleHogsfree, use it. It's open source. Or GitGuardian, both are partners of ours.

The other big thing is outside of secrets, I would have a vulnerability scanner, really important on all your major dependency streams. So like Docker images, Ruby gems, if you're using Node, NPM, but basically any dependency you have, you should have vulnerability scanning on it. Super fricking important.

The other big thing is outside of secrets, I would have a vulnerability scanner, really important on all your major dependency streams. So like Docker images, Ruby gems, if you're using Node, NPM, but basically any dependency you have, you should have vulnerability scanning on it. Super fricking important.