How do I find employees for the DevSecOps and AppSec team

How do I find employees for the DevSecOps and AppSec team

Greeting! My name is Mykhailo Sinelnikov. I am DevSecOps TeamLead at RSHB-Intech. I have been working in the IT field for 25 years, most of which have been in management positions. Today I will tell you how I look for specialists to join my DevSecOps and AppSec team, what I pay attention to and how I communicate with applicants who try to embellish their own achievements at the interview.

I will note right away that my experience mainly concerns the hiring of employees in remote regions. And there are difficulties here. Specialists are afraid to leave local companies, because it is, firstly, a guarantee of employment and, secondly, a very stable place. I also went through this path and decided to move from a small company to a large one, but I will probably talk about that next time.

Where and by what criteria I am looking for future colleagues

Perhaps I will surprise someone, but first of all, I look for employees not on job resources, but in communities, joint chats for IT specialists and through acquaintances. This is how you can find a person with available recommendations and basically assess how well he suits you. Not from his resume, but from his real reputation. And you yourself can already know him thanks to the fact that you hang out in the same community.

There are joint chats in my city (and not only) for IT specialists, where you can simply write: “Guys, hello, I’m doing this and I’m looking for cool specialists who are ready to work with me.” After that, I drop the requirements that are currently relevant for me.

If all this is impossible, classic options with job resources are used.

Before inviting an interview, I first pay attention to the following points from the resume and recommendations.

Experience in programming

I’m sure anyone in DevSecOps and AppSec should know the code. Ideally, all security guards should grow out of programmers. You may disagree with me, but DevSecOps and AppSec specialists have to work with code to one degree or another, be it some yaml-manifests, Json, various scripts or just a classic program written in Java, Go and so on. It is very wrong when security does not know the language in which it is looking for vulnerabilities. You can’t look at one line highlighted by the scanner and say: yes, indeed, this line is exploitable in this case, or it is false. You need to know the entire project, its structure. If you are not a programmer, you simply cannot understand this code.

Show initiative

I want my future employee to show initiative. I mean people who work quite a lot, perform big tasks and have ambitions, want to achieve and sit a lot on specific tasks. I support people’s desire to develop in their field, advance in the community and look for interesting tasks and projects for themselves, including outside work. And if relevant points are indicated in the resume, I will definitely highlight it as a plus.

The ability to rest

I also devote a lot of time to this moment and make sure to speak at the interview. The presence of interests and hobbies in a person speaks of his ability to switch from work to something else, versatile development and not fixated on just one job. It is not necessarily about active sports, hikes, walks, etc. The main thing is that in life a person has not only work, but also life itself. So, it will not burn out after several years of relentless work. The ability to rest and distract oneself acts as a guarantee of long-term labor relations.

In my experience, there were only a couple of cases when employees have only a job in life and nothing else. But I consider them to be unique people. They have been working in this rhythm for a long time, they do not burn out and do not fall into depression. For this, you need to have a certain stability and character. But in 99% of cases, overworking and not being able to rest is a guaranteed care and employee burnout after 2-3 years. He can do a lot in a moment, but I don’t need to change people like gloves every few years.

Education

I’m a graduate student myself, and I think that’s more of a plus than a minus. You should check the availability of certificates and diplomas on education, indicated in the resume. Confirmation of qualifications through certificates can indicate the veracity of the declared competences. It is not easy to study for five years, but at the same time, when you study, you are forced to think in the right direction, analyze complex situations, develop something that has scientific novelty at the moment and can be used in the future for the benefit of people. And here, in principle, it is the same: you combine common ideas with colleagues and create, let’s say, progressive DevOps, which allows you to further help people, in particular, in security in the banking sector.

References and recommendations

I ask the applicant to provide contacts of previous employers or colleagues who can provide references for his work. If a person has worked in the IS field, there are usually mutual acquaintances with whom I also communicate and who can confirm his qualifications.

What I additionally pay attention to during the interview

Unfortunately, not all points can be clarified at the stage of reading the resume. An applicant can hide some things in order to present himself in a more favorable light, but most often it is simply impossible to take into account all the points the employer needs when compiling a resume. From the leading questions, in a conversation with the applicant and from his stories from previous places of work, I find out whether the potential employee has the qualities listed below.

Ability to read

Sounds funny, but it’s actually not that broad a quality. A person who knows how to read and analyze can solve almost any task. I am already convinced of this, because I myself have gone through it more than once. Now I myself try to look for information in many sources, I actively use the same ChatGPT and other similar services just to speed up the work. That is, the more information I push through myself, the more tasks I will solve, and, accordingly, I will be more successful.

Sometimes I ask the candidate to find a solution to a difficult task online and provide him with material to analyze, see how quickly he can read and perform a qualitative analysis of the given article.

Analytical mindset

There are two processes: decomposition and composition. Programmers usually use the second part. They perform compositional analysis, that is, they collect some kind of artifact from the code, which is necessary for further work. An IS analyst or security professional uses decomposition. That is, on the contrary, it disassembles that artifact into components and looks for vulnerabilities. If the programmer creates, then disassembles safe.

Analytical mind-set is necessary in the part that is related to analyzing how someone else’s code works. In the 90s, for example, we talked about disassembly if the code was written in assembler. That is, you have a binary, and you need to understand how it works. And if you do not analyze all entry points, exit points, all processes and functions that the programmer has developed in this code, then you cannot be sure that the program works as intended. There can be many pitfalls and logical things related to the correct or incorrect operation of the program.

Let’s say there is some function that you can pass a certain amount of data to. A programmer can consider this function as input numeric data that can be passed there. Or this data may be limited to some sequence or length. For example, enter the card number. It seems that the card number has a certain length. But at the same time, any analyst and you should understand that instead of a number there may be letters or special characters, and the length may not be exactly what the programmer thought of it. This, too, needs to be checked, and all hypotheses must be analyzed, looked at much more broadly than the business logic and thinking of the programmer who wrote it all.

How to understand that the candidate has an analytical mindset? All this is easily clarified at the stage of “talking” with the candidate. You can simply ask questions like: “There is a sample of data for process X, it consists of 1000 parameters, you need to determine the most important 30, the task of analysis will be solved by 3 groups of analysts. How do you separate these parameters to obtain high efficiency and reliability of the analysis?”.

Experience of working in a critical situation

It is desirable that the applicant has experience working in a crunch, for example, if he worked with servers with some high critical load and sat in a queue. Usually, these are night shifts, evening shifts, on a day off, when something had to be urgently lifted and restored. Such people are very valuable. They really know how to work and personally went through various “pain”. They are ready to put out fires with you and, most importantly, with a high probability of being neater than others.

I worked in a company where there were many students with no experience. They very often broke a lot, and it had to be lifted behind them. This is, of course, partly a consequence of mentoring. You have to help, develop, make specialists out of students, but this does not cancel the pain of correcting mistakes. And so, until you go through all this together with them, they don’t become cool. If a person participated in these processes and had the strength and ability to lift and correct, that is very cool. It is necessary to single out such people and take them away, because they clearly know how to work.

How not to be deceived

Foragers may exaggerate their gains, but this is fairly easy to verify. If a person has the necessary practice, he needs to ask practical questions that are difficult to answer without real experience.

Let’s say I’m asking about the implementation of any practice with DevSecOps, that is, in which, say, orchestrator he worked. In a nutshell, the applicant must write, for example, the job in which all this was done and which tool was used. And you can even suggest some keys from this vulnerability scanner and ask what keys and in what aspect you would use to make everything work. These questions can only be answered by an expert who has actually worked with it. In my opinion, this is the best way to test a person. That is, you need to give small practical tasks that can be solved quickly.

It happens that not all applicants have worked and work with the same people as me, and they may have more experience and knowledge. Then it makes sense to find some common issues, points of contact with which we worked together. Let’s say you just list 20 things from the IT field and ask which of them the applicant is familiar with, find common points of interest and then go through them in detail.

When an applicant for interviews boasts about the availability of developments, it is also better to ask specific questions. If the person tells you without hesitation what he implemented, you can additionally ask him some small details about each point and direction. Let’s say how you implemented the SAST check and with which tools. If he tells in detail and, perhaps, with some additional nuances related to the settings of a particular scanner, and it fits into the general concept, then a person really lived by it and used what he is talking about.

These are all points that I pay attention to when looking for new people. I hope this information will be useful to both my TeamLead colleagues and applicants who will know what qualities they need to develop in order to successfully pass the interview.

Related posts