CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

3 qualities to look for when hiring in Application Security

Jeevan Singh sits down with Dwayne and Mackenzie on the security repo podcast to discuss what 3 things he looks for when he is hiring someone into the application security team.

Video Transcript

what are you looking for out there as you're you're going through applicants as you're looking to fill rules are there any bits of advice you could give our listeners who are trying to move in that direction oh man I really love that question uh so we're talking a lot about scaling right now and there are three different things that I look for application security engineer um the first part is that they can actually do application security so have you run a bug Bounty have you run a pen test from end to end have you done security RS threat modeling can you speak with Engineers on their level so that you can actually get them to fix uh vulnerabilities so really looking for folks that can actually do that the application security side but as we talk about scaling scaling is a lot more on your looking at problems and understanding how you can actually um re redo it refix the program program so that it can you can implement it and not really be Hands-On on it for uh for time so from that standpoint I'm looking for two areas I'm looking for engineers and when I talk about engineers it's like someone that can understand the problem break it down into smaller pieces and then come up with a great solution for it so it could be a particular program or it could be tools that you build so when we go through the interview process we we dive much much deeper into your engineer your engineering mindset you know a lot of folks um within the team don't have to be coding all the time but you have to have some sort of coding ability the last area that I'm really looking to and really focusing on it this year and Beyond is um can you teach so as we learn um as as we learn as a team the only way that we can actually grow and scale with the organization is if engineering is doing a lot of the heavy lifting as well so earlier we talked about self-service threat modeling that that is one small aspect of it but we're actually really looking at uh rebuilding our security Champions program where these individuals can potentially work on the product security team at some point so they'll be really really strong with uh understanding doing code reviews they'll be able to do very simple um offensive security they know how to threat model more importantly when you're at an org where there's about 100 110 security folks do you even know who to reach out to in security if you have a question uh you may have a compliance related question who do you actually reach out to or if you're dealing with a customer that has a security question who else do you reach out to so um the basics understanding of uh What uh um what actually the security team looks like the security or is like and these Champions ultimately we want the program to scale the theme of today um at the end of all this training uh we're expecting them to be actually to able to run the training themselves so we want these security Champions to be actually really really good at uh have the soft skills and being able to relay that information so um the security Engineers that we hire have to be good at appsec they have to be good at engineering so that they can scale but also really really strong at teaching that soft skills so that we can build security Champions that can actually help us with our security program moving forward so great question it's that's the future application security engineer someone that can hit all those three different areas