Security vulnerabilities are a significant workflow disruption when discovered near the end of development. Vulnerabilities found after release are a bigger problem. Depending on the severity, patching vulnerabilities can become the team’s number one priority, impacting the roadmap. If a vulnerability is exploited or causes a loss or compromise of data, organizations can suffer reputation damage.
Avoiding the discovery of vulnerabilities at the end of the development cycle is one of the primary motivators to shift left and adopt a DevSecOps approach. Over 70% of organizations claim to integrate security into their development processes. Yet less than 25% of security issues are found during development, demonstrating room for improvement.
Code review—looking for bugs, inefficiencies, and other issues in newly-written code—is one of the crucial steps needed before committing and pushing changes to production. Typically, this is a peer review performed by your development team. Nearly 45% of developers report that they review code weekly.
It's a necessary process in software development, but reviewing code takes time away from writing code, and many teams bottleneck on reviews from a limited number of security domain experts. Facing resource constraints, teams face a trade-off between a strict code review process, which has the best chance of finding bugs but can be a blocker, and a faster informal process that risks skipping review.
Last week, we announced the acquisition of PullRequest. PullRequest’s technology and code reviewers eliminate that trade-off, producing high-quality results without the bottleneck. They provide developer-focused security testing solutions to your organization. These changes help customers release reliable software faster by embedding expert security reviewers in their Software Development Lifecycles (SDLCs).
PullRequest is the pioneer of code-review-as-a-service. Their network of reviewers is thoroughly background checked and vetted, with years of experience as software engineers at leading technology companies in Silicon Valley.
We believe what is being called “developer-first” is the future of security. PullRequest reviewers integrate seamlessly into your team's existing code review processes and pipelines. Reviews are comprehensive in their search for security vulnerabilities, performance issues, and other bugs and weaknesses.
This acquisition builds on HackerOne’s history of improving application security, with a new emphasis on developer-first solutions. PullRequest’s reviewers address the first step—preventing bugs from reaching production. Combined with pentests and bug bounties, these steps help our customers close their attack resistance gap between what they can defend and what they need to defend—by offering software testing closer to development.
If you'd like to learn more about how this community can empower your developers to find and fix vulnerabilities early, we'd love to chat. Reach out to your HackerOne Success Manager to discuss early access.