Recruiting AppSec Talent


Why

AppSec and InfoSec talent are difficult to find these days, for several reasons. It is a challenge for an industry corporation to accept professionals who are unhappy with their current employment, would like to work in a narrow fields such as security but only have experience in other areas of IT or development. There are also many people, just starting out in the industry and without experience or certifications (usually a degree in CS), that cannot easily prove to a potential employer what they can achieve.

All the while, there is a lack of, and high demand for, professionals who can work with and grow in AppSec community.

This session will also be a great place to hold thoughtful conversations about different kinds of security careers, top skills in high demand, and the newest opportunities within the field. 

What

 - What can be done to improve the talent pool?  - What is the best way to connect employees and employers?  - Explore the concept of working 2 days a week on a specific project (while employed by another company)

  • Should recruitment agencies have a more proactive role in creating talent and finding job opportunities?
  • What should the career path be for developers who want to move into security?
  • What is the role of universities and work placements?
  • How can hiring managers efficiently judge a candidate’s abilities and potential?
  • What are essential requirements, and what can be ignored?
  • How can a candidate show their worth to a prospective employer, without violating NDA on their previous work?
  • How to make an employer, and specific positions, more attractive
  • What can be done to improve morale and increase retention?
  • What are common career paths into AppSec and InfoSec? How can newbies break into the field, and how can senior practitioners advance?
  • What effects do globalisation and remote working technologies have on recruitment?

Outcomes

Suggested Outcomes:

  • Example career paths to guide incoming AppSec Professionals
  • Typical appsec jobs and their duties and requirements
  • Recruiters guide
  • Specific guidelines for job postings
  • List of suggested next steps for AppSec Managers looking for long-term growth of their team
  • A quick “Joel Test” for AppSec  

    Synopsis and Takeaways

We discussed the gap between companies’ needs to recruit talented AppSec people, and attracting the best AppSec people to come work at their company. The Joel Test is a quick indicator of Development culture: an irresponsible, sloppy test to rate the quality of a software team. We have adapted the Joel Test to quickly indicate a company’s AppSec culture. The test’s purpose is to help companies attract the right talent and help talent to find the right company

First draft of the AppSec Joel Test (in no specific order):

  • Does the company fund ongoing education for AppSec hires?
  • Do developers undergo periodic AppSec training?
  • Do AppSec people have quiet working environment?
  • Are there both offense and defense teams, and do they work together?
  • Can the AppSec team delay release (or fix) a new version or product?
  • Is the AppSec team involved throughout the development lifecycle process?
  • Can I access developers directly?
  • Are security bugs treated like functional bugs?
  • Is there some form of SDL / Maturity model / or other process in place?
  • Can AppSec people choose their own tools (paid for by the company)?
  • Is there a dedicated Incident Response team?
  • Does the company contribute to Open Source and community efforts (or support personal contributions)?

Who

The target audience for this Working Session is:

 - AppSec team leads  - Technical managers  - Senior employees  - Freelancers  - Recruitment agencies  - Human resources  - Universities

Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)

Content

… Add content…

Related Working Session(s)



Back to list of all Working Sessions and Tracks

Edit this page here