That xxe vulnerability sure was brutal and key to the whole thing. It's quite uncomfortable to be responsible for the security knowing exploits like this exist (of which you aren't aware of)
That is why being responsible for security is such a shitty position in most organizations. You have barely any upside since "we didn't get hacked" is the default, but if you do get hacked it is at least partly on your plate. Most vulnerabilities are things you never have heard of and possibly never will. Finally, you will be hated by every PM/dev trying to get something shipped and will continuously have to defend yourself from executives trying to get their pet project expedited.
Even worse than a full time security person or team is the dev who cares a little more than usually and gets manipulated into doing "security" part time while still being part of a normal team. That is just a fast track to burnout: massive responsibilities with almost no power. I've seen it multiple times now and it never seems to end well.
This is why it’s so important for the organization and C-level to be fully bought in to security. What I’ve seen work in the past is for the devs/PMs to own security for the products they develop, and own the liability for security vulnerabilities. In this model, the security team acts more like an internal consultant that accepts invitations to review products/services.
Yeah, I had never heard of XXE until now. Just looked into if PHP's DOMDocument does this by default and it seems like it's based on a configuration setting for the system (very PHP like...), though it looks like you can always run something like libxml_disable_entity_loader or pass in a flag to the load function to not have it do it.
This begs the questions: why is this the default? If you know you need it, you can be required to pass a flag to explicitly allow instead of having to disallow. I'm going to hope modern XML libraries handle this the opposite way and chalk this up to PHP being on the older side.
There is a YouTuber, STÖK, who makes videos explaining how he discovers some vulnerabilities. He actually has a video where he relied on an xxe vulnerability in an PDF file to snag passwd/shadow.[0]
Even worse than a full time security person or team is the dev who cares a little more than usually and gets manipulated into doing "security" part time while still being part of a normal team. That is just a fast track to burnout: massive responsibilities with almost no power. I've seen it multiple times now and it never seems to end well.