Recently, I was asked by a CISO for recommendations on hiring their first AppSec or product security professional. This sparked a reflection on what makes an ideal candidate for such a position. Hiring for this role isn’t just about technical skills; it requires a combination of in-depth security expertise, the ability to work across teams, and a clear strategy for how this person will grow within the organization.
Here are some key factors to consider when hiring your first AppSec/product security professional:
One of the most critical aspects of the role is security code review. It’s easier to train someone to test live web applications (especially if you rely on PentesterLab) than to teach them the complexities of effective code review. Code review requires a detailed understanding of how applications are built and how minor coding errors can lead to significant security vulnerabilities.
Moreover, code review efficiency improves as the individual becomes more and more familiar with the codebase. Having an internal person who knows the intricacies of the code will lead to better recommendations for fixes and long-term improvements. Pentesting, on the other hand, often benefits from fresh eyes and is easier to outsource when necessary. Internal expertise on the codebase compounds over time, while pentests are easier to run as one-off engagements.
Beyond technical skills, a successful AppSec hire should be able to look at the bigger picture. This means having a strong grasp of system architecture and design, allowing them to assess risks at a higher level before they become embedded in the code. A candidate who can understand how different components fit together in the system will be able to spot design flaws that could lead to vulnerabilities.
This type of strategic thinking is critical in preventing security flaws from being baked into the foundation of the product. A broader view also enables more productive conversations with development and DevOps teams, as the AppSec hire can provide meaningful input on both a technical and architectural level.
Security professionals are no longer isolated from the rest of the organization. The person hired for this role must work effectively with development and DevOps teams, as security is now deeply embedded in the software development lifecycle. Involving these teams in the hiring process ensures the new hire will be a good fit, not just technically but also culturally.
It’s easier to train someone who fits well within the existing team structure to sharpen their technical skills than it is to integrate someone who might have strong technical knowledge but doesn’t align with the team culture ("Don't Hire Brilliant Jerks"). The ability to collaborate across disciplines is often a better indicator of long-term success.
It's important to manage expectations regarding the future role of the new hire. Will this person lead the security team when it expands, or will they remain a core contributor? Clearly defining their role in the long-term vision of the company helps avoid confusion and ensures that the candidate is aligned with the organization's goals from the start.
There is no right answer— not every application security engineer wants to run a team. Some people are just as happy being an individual contributor in the long run. It’s just a question of managing expectations.
Recruiters can be valuable allies in the hiring process, as they are often aware of professionals who are looking for new opportunities before these individuals formally enter the job market. Engaging recruiters or tapping into professional networks can help identify potential candidates who might otherwise be off the radar.
Additionally, there is often more success in hiring someone who is already working in AppSec but seeking a more dynamic environment or an opportunity to make a bigger impact. Experienced professionals may bring deep knowledge and the ability to drive significant improvements in security processes.
Sometimes, the ideal candidate may already exist within the organization. A developer or DevOps professional who has taken a personal interest in security could be an excellent choice for the role. While they may require additional training, their existing relationships with the development team and familiarity with the codebase can make them highly effective in the long run.
What such a candidate may lack in immediate technical security expertise can be compensated for by their internal connections, influence, and deep knowledge of the company’s code and culture.
The choice between hiring a generalist or a specialist depends largely on the size of the existing security team. If this is the first security hire, a generalist who can cover a range of responsibilities, including code review, threat modeling, and security assessments, may be more appropriate. However, if a security team already exists, bringing in a more specialized AppSec professional can enhance the team's effectiveness by filling any gaps in expertise.
Ensuring that the new hire has access to the right resources is crucial for their development. Books like The Phoenix Project and The Unicorn Project offer valuable insights into integrating security with DevOps and development practices. Additionally, ongoing training through platforms like PentesterLab can help the hire grow technically, especially if they need to deepen their skills in specific areas of application security.
Hiring the first AppSec or product security professional is a critical decision that can shape the security posture of an organization for years to come. By prioritizing code review skills, fostering a collaborative environment with development and DevOps, and thinking strategically about the candidate’s future within the company, organizations can build a strong foundation for a robust security program. Whether the ideal candidate is sourced externally or promoted internally, the right person can help secure the organization’s codebase and contribute to a culture of security that grows along with the company.