There are things you can do to improve application security even if you’re unable to recruit and retain an application security engineer.
In a previous post, I highlighted some of the challenges associated with hiring appsec people. We see companies struggle to hire a single appsec engineer, only to have them leave within a year without having accomplished their goals, or leaving a lasting positive impact on the organization. This can happen for a number of reasons:
- The new hire was a technical subject matter expert thrust into a leadership role
- The new hire was a leader who did not have technical expertise and struggled to build credibility with the engineering team
- The new hire was unqualified and placed in the position because the company needed to fill the role
Here’s some good news.
I’m willing to bet that your best appsec engineer candidate is already on your engineering team. You just don’t know it yet. And neither do they. After 17+ years of appsec experience, I see a repeating pattern. You can usually find one person who is interested in and passionate about application security – but they don’t consider themselves a security expert. Assuming they’re a good software engineer, this is a great opportunity.
In this person, you have someone with intimate knowledge of your environment, and the relationships needed to make security improvements. Half of the appsec battle is knowing what applications you have, how data flows through your environment, and where your known security issues are. The other half is having the credibility and leadership capabilities to prioritize changes and allocate engineering effort. Paying a penetration tester to maybe discover security issues that your engineering team already knows about is a waste of time and money. You’re better off giving your secret appsec engineer a voice and some power to get issues resolved.
How do you identify your secret appsec engineer?
The simplest way is to ask. Talk to your team and understand where their interests lie. Ask them if they’re interested in appsec, and offer to send them to training and conferences. Early in my career, I had a boss who saw my passion for appsec and paid for me to go to my first OWASP conference in 2004. My primary role was as a support engineer on our WAF product, but I ended up also functioning as a security champion, finding and escalating security issues to our R&D team. After I knew my boss supported me, I doubled my appsec efforts, my abilities increased, and my career trajectory was set.
Another way is to offer appsec training to your engineers to see who enjoys it and excels. Carve delivers Threat Model training to dozens of engineering teams over the course of a year. This training is highly engaging and interactive – not your typical powerpoint slide show. In any class, you’ll quickly identify the people who are attending because they were told, and the people who are genuinely interested and engaged on the topic of application security. Occasionally, you come across the vocal skeptical engineer who thinks everything is fine, and that application security is a waste of time. This person, with the right leadership, can sometimes be turned into your biggest application security asset.
Here is a challenge for you. Over the next few weeks, talk to your team, and find these two people:
- Your secret application security engineer
- Your vocal security skeptic
When you find them, connect with me, and I can give you some advice on how to turn them into your two person application security team.