Recruiting AppSec Talent

Back to list of all Outcomes

Original Working Session content: Recruiting AppSec Talent


Suggested Outcomes

  • Sample career paths to guide incoming AppSec Professionals
  • Typical AppSec jobs and their duties and requirements
  • Recruiter’s guide
  • Specific guidelines for job postings
  • List of suggested next steps for AppSec Managers looking for long-term growth of their team
  • A quick “Joel Test” for AppSec  

    Synopsis and Takeaways

We discussed the gap between companies’ needs to recruit talented AppSec people, and attracting the best AppSec people to work at their company. The Joel Test is a quick indicator of Development culture: an irresponsible, sloppy test to rate the quality of a software team. We adapted the Joel Test to be a quick indicator of a company’s AppSec culture. The test’s purpose is to help companies attract the right talent and help talent to find the right company

First draft of the AppSec Joel Test (in no specific order):

  • Does the company fund ongoing education for AppSec hires?
  • Do developers undergo periodic AppSec training?
  • Do AppSec people have a quiet working environment?
  • Are there both offense and defense teams; do they work together?
  • Can the AppSec team delay release (or fix) a new version or product?
  • Is the AppSec team involved throughout the development lifecycle process?
  • Can I access developers directly?
  • Are security bugs treated like functional bugs?
  • Is there some form of SDL / Maturity model / or other process in place?
  • Can AppSec people choose their own tools (paid for by the company)?
  • Is there a dedicated Incident Response team?
  • Does the company contribute to Open Source and community efforts (or support personal contributions)?

Back to list of all Outcomes

Edit this page here