Recruiting AppSec Talent

Track: CISO
When: Thu DS-2
Organizers Manish Saindane Manish Saindane
Participants Adrian Winckles Adrian Winckles , Manish Saindane Manish Saindane
Remote Participants Prakash Sharma Prakash Sharma

AppSec and InfoSec talent are difficult to find these days, for several reasons. It is a challenge for an industry corporation to accept professionals who are unhappy with their current employment, who would like to work in a narrow fields such as security, but only have experience in other areas of IT or development. There are also many people just starting out in the industry who lack experience or certifications (usually a degree in CS) and cannot easily prove their potential to prospective employers.

All the while, there is a lack of, and high demand for, professionals who can work with and grow in the AppSec community.

This session will also facilitate thoughtful conversations about different kinds of security careers, top skills in high demand, and the newest opportunities within the field.


  • What can be done to improve the talent pool?
  • What is the best way to connect employees and employers?
  • Explore the concept of working two days a week on a specific project (while employed by another company)
  • Should recruitment agencies have a more proactive role in creating talent and finding job opportunities?
  • What should the career path be for developers who want to move into security?
  • What is the role of universities and work placements?
  • How can hiring managers efficiently judge a candidate’s abilities and potential?
  • What are the essential requirements, and what can be ignored?
  • How can a candidate show their worth to a prospective employer, without violating NDAs from their previous work?
  • How to make an employer, and specific positions, more attractive
  • What can be done to improve morale and increase retention?
  • What are common career paths into AppSec and InfoSec? How can newbies break into the field, and how can senior practitioners advance?
  • What effects do globalisation and remote working technologies have on recruitment?


Suggested Outcomes:

  • Example career paths to guide incoming AppSec Professionals
  • Typical AppSec jobs and their duties and requirements
  • Recruiters guide
  • Specific guidelines for job postings
  • List of suggested next steps for AppSec Managers looking for long-term growth of their team
  • A quick “Joel Test” for AppSec

Synopsis and Takeaways

We discussed the gap between companies’ needs to recruit talented AppSec people, and attracting the best AppSec people to come work at their company. The Joel Test is a quick indicator of Development culture: an irresponsible, sloppy test to rate the quality of a software team. We have adapted the Joel Test to quickly indicate a company’s AppSec culture. The test’s purpose is to help companies attract the right talent and help talent to find the right company

First draft of the AppSec Joel Test (in no specific order): - Does the company fund ongoing education for AppSec hires? - Do developers undergo periodic AppSec training? - Do AppSec people have quiet working environment? - Are there both offense and defense teams, and do they work together? - Can the AppSec team delay release (or fix) a new version or product? - Is the AppSec team involved throughout the development lifecycle process? - Can I access developers directly? - Are security bugs treated like functional bugs? - Is there some form of SDL / Maturity model / or other process in place? - Can AppSec people choose their own tools (paid for by the company)? - Is there a dedicated Incident Response team? - Does the company contribute to Open Source and community efforts (or support personal contributions)?


The target audience for this Working Session is:

  • AppSec team leads
  • Technical managers
  • Senior employees
  • Freelancers
  • Recruitment agencies
  • Human resources
  • Universities

Previous Summit Working Session

Register as participant

To register as participant add Recruiting AppSec Talent to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions