Klaviyo

Challenge

• As a high-growth leader in digital commerce, customer trust comes first for Klaviyo.
• Klaviyo's Director of Security Operations identified secrets leakage, like API keys in code repos, as a huge reputational risk. However existing tools proved ineffective at fully addressing the problem.

Solution

• Nightfall's high accuracy detection of API keys and automation capabilities allowed Klaviyo's security team to confidently find and remove secrets in GitHub at scale.

‍Detecting secrets at scale with open-source tools

Shaun DeWitt is Klaviyo’s Director of Security Operations. The Security Operations team monitors Klaviyo’s internal systems for potential issues such as security anomalies, misconfigurations, and risks, and has built alerting and automations to take actions to continuously improve and respond to security events. They started using open-source software to search for secrets within their code repos. This quickly became an untenable option as the tools couldn’t handle the large sizes of Klaviyo’s repos, and they didn’t integrate well enough with GitHub’s API to run efficiently.

Searching for sensitive data that could have been written to any one of their many code repositories is a huge task that eats up a lot of time and resources for Klaviyo’s Security Operations team. This takes away from other initiatives like building tools, running simulated attacks, and helping secure the rest of the company’s cloud infrastructure. Nightfall for GitHub is the secrets detection solution that’s streamlined, automated, and was easy to implement for Klaviyo.

“We couldn't scan our repos as fast as we wanted,” says Shaun. “Even if we had code that was working 100 percent of the time, it was only able to scan all of our repositories as historical scans. To make this work the way we wanted, we would have to build tooling on the backend.”

Shaun’s team compared the open source solutions with what Nightfall for GitHub could do. Nightfall’s automated scans for secrets & credentials in Klaviyo’s GitHub repos outperformed the previous options they used, streamlining their entire detection and remediation process and reducing resources and bandwidth costs, all in one platform.

A seamless solution through a native GitHub integration

“We tasked Nightfall to solve a few of our key initiatives,” says Shaun. “The first was to continuously monitor our repositories for secrets. It worked flawlessly. We can identify sensitive information and get alerted on it so we can review the findings and take action.”

“The second was historical repository investigations. With Nightfall, we can look back at alerts and identify events that may have been introduced into our environment that were deleted, so we can clean up any data we don’t want in our code base.”

“The third, which is the biggest proof of value for us, is reducing risk for the company. We removed the need to develop and maintain this hybrid solution ourselves. We no longer have to do ongoing support and maintenance on it. Nightfall removed that cost and added value as security support for our environment.”

The team receives Slack notifications on alerts so they can manage their remediation workflows in real time within the infrastructure they built. “We can login to our Nightfall dashboard when we see something that we think is worth a closer look from our Slack alerts,” says Shaun. 

“By preventing sensitive data from reaching our code repositories, we reduce the chances of data exposure. For us, DLP is the ability to reduce risk for the company and allows us to build customer trust.”
Shaun DeWitt
Director of Security Operations

Nightfall also provides fast and easy remediation options for Klaviyo by allowing the team to send support tickets to engineering teams, directly from the Nightfall GitHub alerts. “Nightfall gives us a preview of lines of code where the sensitive data is flagged. We have the ability to go into there, get it, send it, or resolve it immediately. We appreciate that because it's a seamless triage and resolution process," says Shaun.

Nightfall DLP is a trust symbol for Klaviyo

Nightfall solved the immediate need for Klaviyo to manage their secrets detection and remediation in GitHub more efficiently. Shaun’s team also gets added value from integrating data loss prevention (DLP) into their overall security strategy — and the associated symbol of trust that comes with DLP. 

“For us, DLP is a risk reduction tool,” says Shaun. “It allows us to reduce exposing sensitive data in our repos. We also prevent data from leaking when someone leaves our organization.”

Klaviyo’s customers can trust that the security team is working with the strongest data security standards and putting platforms in place to ensure Klaviyo’s code bases are protected against secrets disclosure. Nightfall for GitHub makes this trust symbol attainable for Klaviyo and other companies looking to build custom solutions to prevent data sprawl and leakage.