Ever stumbled upon a vulnerability and pondered over the ideal approach to handle it? Usually, the procedure involves sending an email or writing a report to notify the relevant teams. However, there exists a more pro-active and hands-on strategy – submitting a pull request with the fix yourself.
Imagine being more than just the person who spots issues, becoming an active participant in the solution. This strategy is not confined to the role of an appsec engineer. If you’ve stumbled upon a vulnerability in an open-source project, this is for you too!
Diving deeper, the act of submitting a change ushers you into the core processes that facilitate the transition of code from an initial edit to being live in production. It provides a golden opportunity to witness peer reviews, integrations, testing, and deployment stages, essentially offering a firsthand experience of the entire cycle.
Understanding the intricate processes such as the branching strategy, peer review and approval process, and the time it takes for a change to go live is an incredible learning curve. This knowledge stands pivotal during emergencies when a quick fix needs to be pushed through. Moreover, it fosters stronger relationships with the engineering team as you begin to grasp their challenges and pain points, possibly helping to address them while elevating the security stature.
Contrary to the perception of security teams operating in isolation, dictating the necessary actions from an ivory tower, this method promotes synergy and collaboration. It establishes a platform where security and engineering teams operate hand in hand as peers, breaking down the barriers and fostering a harmonious working environment.
While some advocates for a clear demarcation of duties may voice concerns, it is essential to note that a similar level of separation can be maintained through peer reviews from developers and security assessments from appsec peers. It, therefore, promotes a collaborative approach without compromising the foundational principles of duty segregation.
In summary, opting to submit a pull request the next time you find a vulnerability could usher you into a world of rich experiences and collaborative growth. It's not just about spotting the flaw; it's about being an active part in fixing it and witnessing your code becoming a vital component in production, a perspective that is indeed golden.