I run an application security consulting company. Majority of our work is about testing applications on the web and mobile. A big challenge of hiring for app security is the fact that they need to be aware of network layer, transport layer and the applications.
The world of applications is constantly changing and evolving. We don’t know how do we evaluate and constantly up-skill.
They need to have an intersection of bunch of skills.
Not really but for most people if they have strength in even one of the areas, others can be honed. The crucial aspect of being able to train people is objective and subjective evaluation of an individual’s grasp of the concepts (fundamental knowledge), applied knowledge and capabilities.
Their real skill is how good are they in practising their capabilities and how quickly can they re-align their capabilities for successful execution.
Imagine if we had the ability to evaluate at the time of hiring and if someone needed a bit more time and support, if we could share a personalised learning path. That would be a game changer for most of us.
At this point, I don’t have any solutions to offer but would like to share what we do at Appsecco is a combination of the following
If they don’t have the knowledge or the ability to do something specific they can be trained – as long as they are willing to do the work
Initiative trumps almost every other personality trait. Individuals who are willing to take a risk, go after learning in-spite of the inherent fear of failure, completely out of their comfort zone are the ones who create tools used by others, write books and articles referenced by others.
In my experience companies can’t really inculcate initiative. It is one of those latent abilities that can be honed if they exist.
Be nice and kind with your self. Because on the journey to accelerate learning is bound to be full of seemingly insurmountable obstacles and things are highly improbable. The net effect is that we will see a lot of failure. Failing while trying shouldn’t be a reason to be hard on yourself. In short we prefer people who are willing to try but will be chill if they don’t succeed in their first/nth attempt.
All testers should be open to writing code. All coders should be open to testing. Everyone including non-technical staff should be open to documenting their way of working and then figure out how to automate majority of their job. Once they do that, they can move to better more fun and challenging problems.
What do you think about hiring for security teams? Do you agree or there is a magic sauce you are willing to share?