GitGuardian scans dev laptops for plaintext secrets

Show Notes

The security boundary is shifting from systems to identities, and endpoints are now at the center of that change. Developer machines are increasingly becoming the easiest path into production environments as credentials leak through logs, caches, and AI tooling. This matters because traditional security models still separate endpoint protection from identity control. That gap is now where most real-world breaches are happening. At the same time, active exploitation of Fortinet vulnerabilities shows how quickly attackers move once patches are released, while new policy from France is forcing organizations to accelerate plans for quantum-safe cryptography. AI agents are adding another layer of risk as untracked identities with real access begin to spread across environments. Also covered: Databricks reframing AI governance, CrowdStrike removing standing privileges for agents, Zscaler mapping AI access relationships, regulatory fines for weak controls, and continued SaaS-driven breach paths. Learn more at https://crestvale.io

Transcript

SPEAKER_00 0:00

Attackers are no longer breaking in. They are logging in using credentials your developers already left behind. And the endpoint you thought was just a device is now your weakest identity boundary. This is the Crestvale Newsroom Daily Podcast. Git Guardian just made a very direct statement about where the threat model has shifted. The developer laptop is now a primary entry point into production systems, not because of malware, because of credentials. Their new endpoint protection product scans, developer machines for plain text secrets. That includes API keys, tokens, and credentials sitting in shell history, logs, and local caches. The kind of artifacts most teams do not track and rarely clean up. This is not theoretical. This is based on a steady stream of breaches, where attackers did not need exploits. They just found valid credentials on endpoints and used them. What stands out here is the shift in framing. Git Guardian is treating the endpoint as a credential store, not just a device. That matters because most security stacks still separate endpoint security from identity risk. One team looks for malware. Another manages access. Meanwhile, credentials sit in between, exposed and unmonitored. This approach closes that gap. It scans quickly through MDM, surfaces high-risk secrets, and maps each one to the systems it can access. That mapping is key. It turns a stray token into a clear blast radius. There is also a second layer to this. AI coding agents are leaving behind their own residue. Logs, temporary files, and tool integrations are creating new places where credentials quietly accumulate. Git Guardian is explicitly scanning for this agent-related data, including MCP servers and artifacts most teams are not even inventorying yet. That is a preview of where things are heading. Machine-driven development is expanding your attack surface faster than your controls are adapting. And then there is detection. They are using Honey tokens tied to these secrets. If a stolen credential is used, it triggers a real-time alert. That shifts response from passive scanning to active detection. Here is why this matters. If your endpoint strategy does not treat every developer machine as part of your identity perimeter, you are missing where attackers are actually getting in today. Now, the more immediate risk. 40Net 40 sandbox vulnerabilities are now under active exploitation. These are not edge cases. These are low complexity paths to remote code execution, including unauthenticated command injection, no login required, no user interaction, just a crafted request. Patches were released in April and June. Exploitation is already happening. That includes a vulnerability that had no prior public exploitation, which suggests attackers were ahead of disclosure. This pattern should feel familiar. Fortinet releases fixes, attackers move quickly, defenders lag. The problem here is where FortySandbox sits. It is part of your malware analysis pipeline, a high trust system by design. If that system is compromised, attackers are not starting at the edge. They are landing inside a trusted layer of your environment. The guidance is straightforward. Patch immediately. Then assume exposure and look for signs of compromise. Anything slower is a risk decision. Meanwhile, France just forced a timeline on post-quantum cryptography. The National Agency for the Security of Information Systems, or ANSSI, will stop certifying security products without quantum-resistant encryption in 2027. No certification means no deployment in government or critical infrastructure. By 2030, the expectation is that organizations will only procure quantum safe products. This turns what has been a long-term roadmap into a near-term compliance issue. And it creates a bottleneck. Certification becomes the gate. Vendors that are not ready lose access to regulated markets. For operators, this means you need visibility now. Where are you using algorithms that will not hold up in a post-quantum world? That includes signing systems, identity infrastructure, and anything relying on current elliptic curve standards. There is also the data risk. Harvest now, decrypt later is no longer abstract. Data stolen today could be readable in the next decade. Waiting pushes you into a compressed and expensive migration later. Now on AI agents. App ViewX is making a bet that identity is the control point that will matter most. Their new approach treats AI agents as first class identities. Not tools, not processes. Identities. The issue they are targeting is not rogue AI. It is invisible sprawl. Agents are being deployed faster than teams can track them. Each one may have access to data, systems, or APIs. Most are not governed in a consistent way. App ViewX is building continuous discovery to create an inventory of agents, models, tools, and credentials. Think of it as an AI bill of materials. They are also shifting access control from roles to tasks. An agent gets access only for the specific job it is performing, nothing more. And this all ties back to PKI. They are anchoring agent identity in cryptography, which aligns with both machine identity scale and the coming pressure from post-quantum requirements. The direction is clear. If you are deploying AI agents without identity controls, you are creating untracked privileged actors inside your environment. Here is what else is worth knowing today. Databricks is pulling AI governance into runtime control, combining identity, spend, and behavior before things fragment across tools. CrowdStrike is removing standing privileges for AI agents, signaling a move toward just-in-time access for machine identities. Ziscalar is building an AI access graph focusing on mapping real-time relationships between agents and data. The Australian Securities and Investments Commission fined a firm $2.5 million Australian dollars for weak cyber controls, reinforcing that underinvestment now has direct financial consequences. And iRhythm reported a breach path through social engineering into third-party apps, another reminder that SaaS identities remain a primary entry point. Here is the takeaway. Treat every endpoint and every AI agent as an identity with enforceable boundaries, or attackers will do it for you. Tomorrow we are watching how vendors start enforcing just in time access across human and machine identities as standing privileges continue to disappear. If this was useful, follow the Crestvale Newsroom daily podcast so you don't miss it. Thanks for listening.