PullRequest, a five-year-old startup that emerged from Y Combinator in 2017, has been helping software developers by providing an external code review team. This not only aids in identifying bugs that might have been overlooked but also helps detect security vulnerabilities before the software hits production.
Why PullRequest is Crucial for Security
The acquisition of PullRequest by HackerOne, a bug bounty company, is a strategic move to expand its capabilities in detecting bugs and security vulnerabilities. Traditionally, HackerOne hires security professionals to find bugs in programs that could have a significant impact if left undetected. PullRequest expands this capability by having a group of qualified code reviewers on call, who can detect bugs even before they get into production.
A Shift Toward Developer-Centric Security
HackerOne CTO Alex Rice sees a shift toward developers taking more responsibility for security than they have in the past. Acquiring PullRequest gives him and his customers direct access to the development part of the cycle, making it easier for them to detect bugs and vulnerabilities.
"A trend that we’ve been seeing across a lot of our customers is this real shift toward developers taking far more responsibility for security than they have in the past," Rice said. "This trend is something I’m really excited about, as I fundamentally believe that developer-first security practices are the future of building trustworthy technology."
The Gap Between Intent and Capability
Rice stated that the vast majority of bugs HackerOne has found come after the software is already in production. Even though developers want to create more secure software, it’s not always easy for them to have the necessary resources or expertise.
"We’ve got this intent for developers to start taking more responsibility for security, but there’s a gap between what they would like to find and what they’re capable of finding," Rice said. "So, the role of PullRequest here is to bring the security expertise into the developer workflow where they need it most."
The Acquisition Process
HackerOne CTO Alex Rice wasn’t aware that PullRequest was looking at security vulnerabilities as part of their service when he approached founder and CEO Lyal Avery about a possible partnership in September last year. However, shortly after that, the two companies began discussing an acquisition.
"We had a conversation, and I realized we were actually competing," Rice said. "But we quickly moved past that and started talking about how we could work together."
PullRequest’s Impact on Developer Security
PullRequest launched in 2017 and raised almost $13 million according to Crunchbase data. The last raise was an $8 million Series A in 2018. Avery has a network of 10,000 vetted reviewers, with about 1,000 active reviewers.
"All 12 employees have moved to HackerOne," Avery said. "We’re excited to be part of the HackerOne team and contribute our expertise to enhance developer-centric security practices."
The Future of Developer-Centric Security
With PullRequest’s acquisition by HackerOne, we can expect to see a significant shift toward developer-centric security practices. As Rice mentioned earlier, this trend is something he’s excited about.
"We fundamentally believe that developer-first security practices are the future of building trustworthy technology," Rice said.
By having a team of qualified code reviewers on call, developers will be able to detect bugs and vulnerabilities even before they get into production. This will make it easier for them to create more secure software, reducing the risk of potential security breaches.
Conclusion
The acquisition of PullRequest by HackerOne is a strategic move to expand its capabilities in detecting bugs and security vulnerabilities. With PullRequest’s expertise in developer-centric security practices, we can expect to see a significant shift toward this trend. As Rice mentioned earlier, "developer-first security practices are the future of building trustworthy technology."
