Transforming DevSecOps Starting with Real-Time Secrets Detection: Why We Are Excited to Back GitGuardian
As a DevSecOps company operating in a very complex and dynamic ecosystem, we found in Sapphire the perfect partner for GitGuardian Series B. The Sapphire team and our dedicated partner Andreas have demonstrated a very deep understanding of our industry, which will help us make the best and most informed strategic decisions.
– Jérémy Thomas, co-Founder & CEO, GitGuardian
With 1,291 data breaches in 2021, the number has already exceeded 2020 figures. It’s no wonder that business data breaches, potentially causing millions of dollars in damages, are a top fear amongst many organizations today.
But what’s shocking to note is that over 80% of company data breaches within hacking involve brute force or the use of lost or stolen credentials, which can easily be prevented with real-time monitoring. In response, we’ve seen the evolution of an entire industry take shape: DevSecOps. The convergence of security and development has shifted from a buzzword into a significant spending priority.
As background, DevSecOps relates to security protocols that are baked into the development process rather than added as a “layer on top,” allowing developers and security professionals to harness the power of agile development without short circuiting the goal of creating secure code. Global 2,000 companies are embracing this trend with increasing momentum as more and more companies adopt “shift left” developer-focused security tools.
Today, we’re excited to partner with GitGuardian, which focuses on real-time secrets detection (API keys, certifications, usernames/passwords, etc.) and security policies enforcement by scanning a company’s external and internal code repositories. The solution helps developers fix vulnerabilities while also educating them by focusing on coding errors and prevention. By empowering developers, GitGuardian eases the burden on security teams, providing them with the enforcement capabilities, visibility and control they need.
Here’s more on why we are excited to back GitGuardian:
Addressing a Large and Rapidly Growing Problem
According to the 2021 State of Secrets Sprawl on GitHub report, the number of secrets found on GitHub are growing at an annual rate of 20%. The report also finds that 15% of leaks on GitHub occur within public repositories owned by organizations, and 85% of the leaks occur on developers’ personal repositories. Secrets in these repositories can be either personal or corporate, which is a huge risk for companies as some of their corporate secrets are exposed publicly through current or former developer’s personal repositories.
This problem continues to grow and be exacerbated because of number of key reasons:
- The growth of GitHub: GitHub gathers more than 50 million developers working on their personal and/or professional projects, creating c.60M repositories per year and adding nearly two billion contributions, annually.
- Shift to the cloud: As architectures move to the cloud and increasingly rely on components and applications, the growth of commits occurring, and the use of digital authentication credentials, has increased the number of secrets being mistakenly leaked.
- Continuous development – As companies continue to push for shorter release cycles, the risk of mistakes and secrets leakage only increases.
- Company growth – As companies grow, so do the number of repositories, number of developer teams and typically, their geographical spread, which increases the complexity of enforcing good security practices and the likelihood of secrets leakage.
As more organizations look to adopt “shift-left” developer-focused security tools, GitGuardian is able to capitalize on these tailwinds given their developer-first focus.
An Ingenious GTM Approach
GitGuardian has built an innovative flywheel sales motion, enabling the team to build strong developer market awareness and bottoms-up adoption.
GitGuardian sends approximately 3,600 free alerts to new developers daily to alert them when they may have mistakenly leaked a secret, driving downloads of their free product, which now has more than 110,000 installs and is the #1 most installed security app on GitHub.
GitGuardian is able to take advantage of its product-led growth model with strong bottoms-up developer adoption to then sell their paid products through developer recommendations to security teams. Through this, GitGuardian has won sector-leading customers including the likes of DataDog, Genesys, Instacart and Talend.
Breadth of Platform
GitGuardian’s proprietary secret detection algorithms were originally built off public repositories. What soon became clear was the importance of not only monitoring public repositories, but also private ones. Internal systems within companies are often treated with complete trust and as a result, secrets are more freely shared.
GitGuardian offers the ability to monitor both internal and external repositories, and the product’s technical strength when doing so has enabled GitGuardian to repeatedly win against competition to-date.
The DevSecOps market was valued at $2.2B in 2019 and is expected to grow at a CAGR of 30.8%. We believe GitGuardian is disrupting this huge, rapidly growing market, and that through GitGuardian’s free alerts, existing products and product roadmap, the platform has strong developer awareness and differentiated positioning.
A Visionary Team with Strong Industry Experience
We are thrilled to be backing co-founders Jérémy Thomas and Eric Fourrier who immediately impressed us with their drive, experience and the strong technical talent they have recruited. The two are gifted leaders driven to build a globally leading developer security platform having previously co-founded a data-science development agency together and both graduates in applied mathematics and artificial intelligence.
At Sapphire, we have a long history of investing in and building companies of consequence within the DevOps category. We immediately knew from the first meeting that Jérémy and Eric, that the GitGuardian journey is one we wanted to play a part in. We are therefore thrilled to join our friends at Eurazeo and Balderton in their Series B round and are excited to help GitGuardian continue to successfully execute on their vision to become a company of consequence within DevSecOps.
Information provided herein be used or considered as an offer to sell or a solicitation of an offer to buy an interest in any investment fund managed by Sapphire Ventures (“Sapphire”). Information provided reflects Sapphires’ views as of a time, whereby such views are subject to change at any point and Sapphire shall not be obligated to provide notice of any change. Views presented may reflect the authors’ opinion and/or interpretation and Sapphire provides no assurance to the accuracy of such views. Various content and views contained within this article represent those of third party guests, which do not necessarily reflect the views of Sapphire. Such views are subject to change at any point and do not in any way represent official statements by Sapphire. Various statements made by third party guests about Sapphire relate to the nature and type of management services provided by Sapphire and do not constitute testimonials to Sapphires’ investment advisory services and no inference to the contrary should be made. Companies mentioned in this article are a representative sample of portfolio companies in which Sapphire has invested in which the author believes such companies fit the objective criteria stated in commentary, which do not reflect all investments made by Sapphire. A complete alphabetical list of Sapphire’s investments made by its direct growth and sports investing strategies is available here. No assumptions should be made that investments listed above were or will be profitable. Due to various risks and uncertainties, actual events, results or the actual experience may differ materially from those reflected or contemplated in these statements. Nothing contained in this article may be relied upon as a guarantee or assurance as to the future success of any particular company. Past performance is not indicative of future results.