Prevention-First Security: Orange Business’ Secrets Transformation Journey

Read full article here: https://blog.gitguardian.com/how-orange-business-transformed-secrets-security-with-a-prevention-first-approach/?utm_source=nhimg

Orange Business faced a massive secrets management challenge: 3,000+ developers across hundreds of projects, with secrets scattered not just in Git repositories, but also in Teams, Confluence, Jira, container registries, and more. Traditional scanning tools couldn’t scale effectively, producing overwhelming volumes of false positives and leaving gaps in enforcement.

The Challenge: Scale Meets Complexity

• Developers unintentionally expose 2–3 secrets per year on average. At enterprise scale, this could mean thousands of potential exposures annually.
• Existing tools like Vault were only partially adopted, creating visibility gaps.
• Open-source scanners (e.g., GitLeaks) struggled with volume, false positives, and lifecycle management—Project Alpha saw 17,000 detected secrets, mostly noise.

The Regulatory Catalyst

• NIS 2 Directive mandates proper secrets management and encryption by 2028.
• Orange Business proactively evaluated solutions that combined technical efficacy with compliance readiness, rather than reacting to deadlines.

GitGuardian: Accuracy That Enables Adoption

• Proof-of-concept showed dramatic improvement: Project Alpha’s 17,000 false positives with GitLeaks → 1 valid secret detected with GitGuardian.
• Key features that drove adoption:
  • False positive rate < 5% → trusted by developers
  • 500+ secret type detectors for both specific and generic secrets
  • Automated prioritization and lifecycle management
  • Centralized governance with distributed remediation

Insight: High accuracy is not optional—it’s the difference between adoption and neglect.

Prevention-First Strategy

• Prevention > Remediation: Once a secret enters Git, it persists in commit history and cannot be fully removed. Preventing exposure is exponentially more effective than trying to fix it after the fact.
• Three-layer approach balances enforcement with developer experience:

Behavioral Impact: Developers proactively fixed code when alerts were accurate, reinforcing good security habits.

Expanding Beyond Code

• Orange Business is broadening coverage to documentation systems, communication platforms, container registries, and application logs, recognizing that secrets leak outside code.
• Goal: Comprehensive, enterprise-wide visibility and enforcement.

Key Lessons for Enterprises

1. Prevention Is the Most Valuable Investment
   Stop secrets before they commit; remediation is costly and incomplete.
2. Developer Experience Drives Adoption
   False positives ≤ 5% is critical to ensure trust and compliance.
3. Phased Rollouts Build Confidence
   Gradual activation with feedback loops avoids disruption and builds buy-in.
4. Enterprise Features Enable Scale
   Centralized dashboards, distributed remediation, audit trails, and compliance reporting are essential.
5. Accuracy Enables Scale
   Reliable detection allows security teams to focus on real risks instead of investigating noise.

Closing Insight

“We work with developers, not against them. Tools must be invisible to those doing the right thing and enforce security where it’s needed.”

Orange Business’s prevention-first, developer-centric approach demonstrates that effective secrets security at enterprise scale is possible—without sacrificing velocity or developer trust.