HashiCorp Vault to expand in DevSecOps with BluBracket buy

HashiCorp Vault users will be able to scan for secrets in DevSecOps pipelines and bring them into their existing secrets management process once the vendor folds in IP from a startup it acquired this week.

HashiCorp expects to integrate BluBracket's secrets scanning into its HashiCorp Vault secrets management product later this year, according to a press release. Financial terms of the acquisition were not disclosed.

A majority of BluBracket's employees, including Prakash Linga, BluBracket co-founder and CEO, will join HashiCorp. While it was not disclosed how many employees there are, BluBracket's LinkedIn profile says it has 14 employees. The company was founded in 2019 and has raised $12 million in series A funding, according to the same profile page.

"With HashiCorp Vault, we've been doing a lot to manage the storage of secrets, managing their lifecycle and making those secrets available to applications and to people," said James Bayer, HashiCorp's senior vice president of R&D for the Secure product line, in a video chat with Linga posted by HashiCorp in a blog announcing the acquisition. "But we've never had the capability to discover and find secrets and then import them into Vault."

There are other options here … firms may choose to align the secrets scanning capability with their DevOps pipeline tooling, rather than their secrets management tooling.

While this represents more choice for HashiCorp Enterprise customers, it also presents a potential dilemma. Other vendors also offer secrets scanning products and services, such as Microsoft's Defender for Cloud and GitHub Actions Secrets in GitHub Enterprise.

"Most firms do not scan for secrets currently, but as they get to the maturity where this is identified as a need, it is smart for Hashicorp to give them an option that easily integrates into Vault," said Andrew Vezina, chief information security officer at Equitable Bank in Toronto. "There are other options here, though -- firms may choose to align the secrets scanning capability with their DevOps pipeline tooling, rather than their secrets management tooling."

Equitable Bank recently adopted HashiCorp Boundary Enterprise along with Vault but has yet to settle on a secrets scanning tool. Ultimately, it may be easier to leave secrets scanning to tools already present in DevOps pipelines, such as static code analysis, container security and software composition analysis utilities, Vezina said.

"It seems simpler to implement secrets scanning using the tools that are already performing scans of source code and then just refer the findings to the IAM team for onboarding to the secrets management solution," he said. 

Hashicorp's competition

With the BluBracket acquisition, HashiCorp also moves into competition with vendors such as GitGuardian and Truffle Hog, among others, said Jim Mercer, an analyst at IDC.

Jim Mercer

"This new acquisition should give them a stronger position when competing against other enterprise secrets management [tools]," he said. "At some point, the BluBracket technology could also be integrated into HashiCorp Waypoint as well."

It's not certain whether enterprises will buy in to secrets scanning from HashiCorp or stick with DevOps pipeline tools, but there are potentially advantages to using Vault for both, Mercer said.

"There has been a bit of a disconnect between identifying secrets and managing them," he said. "If these capabilities can be tightly integrated, then when I find secrets in my code with a single tool, nd I can manage them simultaneously, that streamlines the process."

It's historically been rare for HashiCorp to make acquisitions; it bought DevOps tooling vendor Vektra in 2016. But since its debut as a publicly traded company in 2021, the vendor's competitive strategy has become more expansive. Its newer products, such as Waypoint and HashiCorp Boundary Enterprise, expand HashiCorp's competitive overlap continuous delivery vendors such as Acorn Labs and Spotify Backstage, as well as privileged access management vendors such as CyberArk.

Cloud security has been an explicit area of focus for HashiCorp's product expansion, according to presentations by CEO David McJannet at HashiConf last year.

"Perhaps the acquisition of BluBracket is a signal that Hashicorp plans to compete in the AppSec and DevSecOps space, which would be complementary with Terraform," Equitable Bank's Vezina said. "But it would take some time and investment to catch up with Snyk, Checkmarx and others."

Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.