Legit Security Delivers AI-Powered Accuracy to Secrets Scanning

Comprehensive secrets detection and prevention secures developer data across the entire development ecosystem.

Palo Alto, CA - January 23, 2024  -- Legit Security, the leading application security posture management (ASPM) platform that enables secure application delivery, today announced expanded and AI-powered capabilities to detect and protect secrets across the software development pipeline. With secrets at the heart of enabling applications to operate, understanding where they exist – beyond hard-coded secrets and source code - and preventing secrets from leaking is paramount.

Secrets – including API keys, access keys, passwords and personally identifiable information (PII) – are a focal point for attackers due to their high value and the increasing sprawl of such data within development environments. In addition, well-known supply chain attacks have resulted from the exposure of secrets often found within source code. Protecting secrets is also central to meeting global compliance requirements, such as the European Union General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS) and many other state, federal and industry requirements.

Innovating Secrets Scanning with AI 

Secrets scanners are known to often have a high false positive rate, especially when not finely tuned or customized for the specific customer environment. With this release, Legit is the first to apply AI/ML to significantly reduce noise associated with secrets scanning. The context around many secrets, which can be complex, drives a significant volume of noise, and false positives. Legit uses a set of advanced heuristics and custom AI to deliver extremely accurate results.

 

Detecting Secrets Across Development Environments

Legit delivers comprehensive security by leveraging AI to detect secrets across all development assets, including code repositories, source code management (SCM) tools, build tools and logs, artifacts, private and public documentations, and more. In addition, Legit’s deep analysis uncovers buried secrets within assets such as source code history or modified Confluence pages. These assets are still accessible and sought after by malicious actors but are hard to discover by conventional means or available AppSec scanners. Legit's visibility and context enable CISOs and their teams to more effectively detect secrets, prioritize remediation, and put preventive guardrails in place.

“We see more CISOs and their teams prioritize secrets as a security initiative, driven heavily by the fact that many of their peers have experienced secrets compromised,” said Legit co-founder and CEO Roni Fuchs. “We are pioneering the way for a complete developer data security by introducing major innovations that give security and engineering teams a way of protecting sensitive data and preventing new secrets from being exposed everywhere.”

With Legit, CISOs and their teams can identify, remediate, and prevent the loss of secrets across developer tools, ranging from GitHub, GitLab, Azure DevOps, and Bitbucket to Docker images, artifacts, Confluence pages, and more. Key benefits of Legit secret scanning include:

  • End-to-end SDLC visibility and prioritization: Legit detects secrets beyond the source code to examine all components of the development pipeline. The Legit platform continuously discovers new assets and automatically protects them from loss.
  • Fast and simple administration: with centralized management, Legit makes creating custom policies, managing exceptions and executing secret scanning simple.
  • Complex risk detection and prioritization: Legit’s broad visibility enables the discovery of secrets that might otherwise be missed, including toxic combinations (e.g., those exposed by a user making a repo public). The context Legit provides allows users to prioritize what’s most important, like secret validity checks or adjusted severity levels that consider the criticality and exploitability of the service.
  • Reduce false positives: By leveraging a continuously learning analytics engine, Legit increases the accuracy of secrets detection. In addition, Legit brings a highly productive triage and baseline experience to build exceptions and fine-tune results in no time.
  • Scalable for large development teams: Unlike open source-based tools, Legit built secret scanning to meet large enterprises' performance and scalability requirements.
  • Secrets leak prevention and remediation: Legit enables preventive guardrails on developer endpoints using the Legit CLI and can stop secrets using SCM hooks before code push. In addition, automated workflow can reach developers as part of a pull-request or create Slack messages or Jira tickets to streamline remediation.

 

About Legit Security

Legit Security provides an application security posture management platform that secures application delivery from code to cloud and protects an organization's software supply chain from attacks. The platform’s unified application security control plane and automated SDLC discovery and analysis capabilities provide visibility and security control over rapidly changing environments and prioritize security issues based on context and business criticality to improve security team efficiency and effectiveness.

Share this guide

Published on
January 23, 2024

Book a 30 minute demo including the option to analyze your own software supply chain, if desired.