In wake of the SolarWinds breach, BluBracket shifts security left by introducing first tool to rank security risks and identify secrets early in the software development cycle
PALO ALTO, Calif., February 9, 2020 – BluBracket, the leader in code security for developers and security engineers, today is announcing the general availability of its Community Edition, a free, robust and automated tool for finding passwords, tokens and other security vulnerabilities in code. The Community Edition uses a novel, ML-based method for assessing code risk by assigning secrets and repo risks scores, so companies can quickly understand and act on security issues found in code.
“The recent SolarWinds hack was the largest breach in history, and many reports say it began with a password left in code,” said Prakash Linga, CEO, BluBracket. “Source code is quickly becoming the largest surface area of attack being exploited by hackers. BluBracket is exclusively focused on addressing the risks in your source code, and now is the right time to make our Community Edition freely accessible so developers and engineers have a robust and professional way to keep credentials out of code.”
New Pre-Commit Tool Shifts Security Left, Helping Developers Prevent Breaks in Their Builds and Keep Code Safe.
The BluBracket Community Edition “shifts security left” earlier in the development process by giving developers a free, easily integrated tool to help them keep credentials and secrets out of code. This is so crucial in Git because once a credential is part of a Pull Request (PR), even if that PR is rejected, it will stay in the repository and can be easily found by hackers. The pre-commit hook of the BluBracket Command Line Interface (CLI) tool scans developer commits to determine if any new risks were introduced and if so will block the staged files from being committed. The CLI component of the Community Edition works with developers’ CI/CD pipeline and any IDE that supports pre-commit hooks such as VSCode, Jetbrains IntelliJ, and PyCharm.
The BluBracket Community Edition provides developers a Secrets Risk Score which efficiently informs them of the risk of that secret in their code. For instance an active AWS token would receive the highest score, rated for its potential impact on the business, whereas a password in a test environment would be rated very low. The BluBracket tool is the first of its kind to offer this type of ranking, which is integrated into the developer and security ecosystem workflow.
New Repo Risk Score Helps Security Engineers Prioritize Efficiently.
BluBracket has made it extremely simple for anyone to use the Community Edition. Users simply connect to the BluBracket Community Edition through GitHub, where the tool will begin scanning up to 10 repositories and sharing reports in real time for more than 50 secret types in any language. This scan will give them an instant Repo Risk Score which estimates the impact of the type of credentials found in the code so they can prioritize remediation and drill down into the contributions responsible for the leakage.
BluBracket’s built-in rules engine also automatically reduces the number of false positives that are present in so many other secrets-scanning tools. For example, in a recent product comparison conducted by an early access customer, BluBracket identified more than 125,000 of the 126,500 “secrets” detected by a popular open source tool were false positives. The reduction in false positives saves companies time and money, as it’s labor intensive to maintain these open source tools and comb through the false positives. It also protects companies from leakage by showing them relative risk in an actionable format.
“BluBracket solves a critical need in mapping our distributed code base to give us the visibility and control we need to be prepared,” said Andrew Schmitt, application security lead at iHerb. “We had challenges that just weren’t being addressed by other scanning tools we tried. BluBracket was the first tool to automate secrets detection in our Bitbucket environment and pinpoint risk quickly and efficiently. BluBracket will also help us keep secrets out of our builds by enabling our developers to shift security left via the BluBracket CLI tool.”
“Software supply chain security is perhaps the most pressing issue facing the software industry today. BluBracket is an early mover and innovator in addressing this unprecedented challenge that faces not just the tech industry, but every industry,” said Jim Zemlin, executive director at the Linux Foundation. “We’re using BluBracket’s tools to identify secrets in Linux Foundation repo’s, which is allowing us to find risks early and improve the security of our code bases.”
Additional features of the Community Edition beyond the CLI and risk scoring include:
- Enhanced security monitoring and alerting that continuously scans repos;
- Comprehensive APIs to integrate into existing CI pipeline, SIEM, messaging, and ticketing solutions;
- A robust rules engine to reduce false positives which are so common in other scanning point tools;
- Unique hashes for secrets that eliminates duplicates; and
- Monitoring of 50+ most common secret types automatically in public or private GitHub repositories.
Because of the needed Community support for this tool, BluBracket is offering $50 Amazon gift cards for the first 100 users who join the community and give feedback. For more information about the BluBracket Community Edition, the promotion, and to get started today, please visit: https://blubracket.com/blubracket-community-edition/
By empowering developers to prevent security vulnerabilities early in the software development process and giving security professionals an automated and developer-friendly way to ensure code is secure, BluBracket is the first comprehensive solution for code security. More information can be found at www.blubracket.com.