How I look for employees for my DevSecOps and AppSec team

Hello! My name is Mikhail Sinelnikov. I am DevSecOps TeamLead at RSHB-Intech. I have been working in the IT field for 25 years, many of which have been in management positions. Today I’ll tell you how I look for specialists to join my DevSecOps and AppSec team, what I look for and how I communicate with applicants who try to embellish their own achievements during interviews.

I should immediately note that my experience mainly concerns hiring employees in the regions remotely. And this has its own difficulties. Specialists are afraid to leave local companies because, firstly, this is a guarantee of employment and, secondly, a very stable place. I also went through this path and decided to move from a small company to a large one, but I’ll probably tell you about that next time.

Where and by what criteria do I look for future colleagues?

Perhaps I will surprise someone, but first of all, I look for employees not on job resources, but in communities, general chats for IT specialists and through friends. This way you can find a person with existing recommendations and assess how suitable he is for you. Not by his resume, but by his actual reputation. And you yourself may already know him thanks to the fact that you hang around in the same community.

There are general chats in my city (and not only) for IT specialists, where you can simply write: “Hey guys, I’m doing this and I’m looking for cool specialists who are ready to work with me.” Then I’ll list the requirements that are currently relevant to me.

If all this is not possible, classic options with job resources are used.

Before being invited for an interview, I first pay attention to the following points from the resume and recommendations.

Programming experience

I am sure that any security person in DevSecOps and AppSec must know the code. Ideally, all security professionals should grow up to be programmers. You may not agree with me, but DevSecOps and AppSec specialists must work with code to one degree or another, be it some yaml manifests, Json, various scripts, or just a classic application written in Java, Go, and so on. It is very wrong when a security specialist does not know the language in which he is looking for vulnerabilities. You cannot look at one line that the scanner highlighted and say: yes, indeed, this line is operational in this case, or it is false. You need to know the entire project, its structure. If you are not a programmer, you simply will not understand this code.

Taking initiative

I would like my future employee to take initiative. I mean people who work quite a lot, carry out big tasks and have ambitions, want to achieve and sit a lot on some specific tasks. I support people’s desire to develop in their field, advance in the community and look for interesting tasks and projects, including outside of work. And if the relevant points are indicated in the resume, I will definitely highlight this as a plus.

Ability to rest

I also devote a lot of time to this point and always mention it during the interview. The presence of interests and hobbies in a person indicates his ability to switch from work to something else, diversified development and not being fixated on work alone. We are not necessarily talking about active sports, hiking, walking, etc. The main thing is that in life a person has not only work, but also life itself. This means that he will not burn out after a couple of years of non-stop work. The ability to rest and be distracted acts as a guarantee of long-term employment relationships.

In my experience, there have only been a couple of cases when employees have only work in life and nothing more. But I think they are unique people. They have been working at this rhythm for a long time, do not burn out or become depressed. To do this you need to have a certain stamina and character. But in 99% of cases, overwork and inability to rest mean guaranteed resignation and burnout of the employee in 2-3 years. He can do a lot in the moment, but I don't need to change people like gloves every couple of years.

Education

I myself completed graduate school, and I think that this is more a plus than a minus. You should check the availability of certificates and diplomas of education indicated in the resume. Confirmation of qualifications through certificates can indicate the veracity of declared competencies. Studying for five years is not easy, but at the same time, when you study, you are forced to think in the right direction, analyze complex situations, develop something that has scientific novelty at the present time and can be used in the future for the benefit of people. And here, in principle, the same thing: you combine common ideas with colleagues and create, for example, progressive DevOps, which allows you to further help people, in particular, with security in the banking sector.

References and recommendations

I ask the applicant to provide contacts of previous employers or colleagues who can provide recommendations about his work. If a person worked in the field of information security, then usually there are mutual acquaintances with whom I also communicate and who can confirm his qualifications.

What additional things do I pay attention to during an interview?

Unfortunately, not all points can be clarified at the stage of reading the resume. The applicant can hide some things in order to present himself in a more favorable light, but more often than not, it is simply impossible to take into account all the points that the employer needs when drawing up a resume. Using leading questions in conversation with the applicant and his stories from previous jobs, I find out whether the potential employee has the qualities listed below.

Reading ability

It sounds funny, but in reality it is not such a common quality. A person who can read and analyze can solve almost any problem. I’m already absolutely convinced of this, because I’ve gone through this myself more than once. Now I myself try to search for information in many sources, I actively use the same ChatGPT and other similar services just to speed up my work. That is, the more information I push through myself, the more problems I will solve, and, accordingly, I will be more successful.

Sometimes I ask a candidate to find a solution to a complex problem online and provide him with material for analysis, see how quickly he can read and conduct a quality analysis of the provided article.

Analytic mind

There are two processes: decomposition and composition. Programmers usually use the second part. They conduct compositional analysis, that is, they collect some kind of artifact from the code that is necessary for further work. An information security analyst or security specialist uses decomposition. That is, on the contrary, it disassembles that artifact into its components and looks for vulnerabilities. If the programmer creates, then the security guy dismantles it.

An analytical mindset is necessary in the part that is associated specifically with analyzing how someone else’s code works. In the 90s, for example, we talked about disassembling if the code was written in assembler. That is, you have a binary, and you need to understand how it works. And if you do not analyze all the entry and exit points, all the processes and functions that the programmer developed in this code, then you cannot be sure that the program works as it was intended. There can be many pitfalls and logical things associated with the correct or incorrect operation of the program.

Let's say there is some function into which you can pass a certain amount of data. The programmer can consider this function as some kind of numerical input data that can be passed there. Or the data may be limited to some sequence or length. For example, enter the card number. It seems like the card number has a certain length. But, at the same time, any analyst and you must understand that instead of a number there may be letters or special characters, and the length may not be exactly the same as what the programmer came up with. This also needs to be checked, and all hypotheses need to be analyzed, to look at everything much more broadly than is inherent in the business logic and thinking of the programmer who wrote it all.

How can you tell if a candidate has an analytical mind? All this can be easily clarified at the “talk” stage with the candidate. You can simply ask questions like: “There is a data sample for process X, it consists of 1000 parameters, you need to determine the most important 30, the analysis task will be solved by 3 groups of analysts. How do you separate these parameters to obtain high efficiency and reliability of the analysis?

Experience working in a critical situation

It is desirable that the applicant has experience working in crunch, for example, if he worked with servers with some kind of heavy critical load and was on duty. Usually these are night shifts, evening shifts, on days off, when something had to be urgently lifted and restored. Such people are very valuable. They really know how to work and have personally gone through various “pains”. They are ready to put out fires with you and, most importantly, they will most likely be more careful than others.

I worked in a company where there were many students with no experience. They very often broke a lot of things, and they had to pick it all up. This, of course, is partly a consequence of mentoring. You must help, develop, make specialists out of students, but this does not eliminate the “pain” when correcting mistakes. And until you go through all this with them, they don’t become cool. If a person participated in these processes and had the strength and ability to lift and correct, this is very cool. We need to single out these people and take them for ourselves, because they clearly know how to work.

How to avoid being deceived

Applicants may exaggerate their achievements, but this is fairly easy to verify. If a person has the necessary practice, he needs to ask practical questions that are difficult to answer without real experience.

Let’s say I’m asking about the implementation of some practice from DevSecOps, that is, in what, say, orchestrator he worked. In a nutshell, the applicant must write, for example, the job in which all this was performed and what instrument he used. And you can even suggest some keys for this vulnerability scanner and ask which keys and in what aspect you would use to make everything work. Only a specialist who has actually ever worked with this can answer these questions. In my opinion, this is the best way to check a person. That is, you need to give small practical tasks that can be easily solved in a hurry.

It happens that not all applicants have worked and are working with the same thing as me, and they may have more experience and knowledge. Then it makes sense to find some common issues, common ground with which we worked together. Let’s say you just list 20 things from the field of information security and ask which of them the applicant is familiar with, find common points of interest and then go through them in detail.

When a job applicant boasts about his developments during interviews, it is also better to ask specific questions. If a person explains without hesitation what he has implemented, you can additionally ask him for some small details on each point and direction. Let’s say how you implemented the SaaS verification and with what tools. If he talks in detail and, perhaps, with some additional nuances related to the settings of a particular scanner, and this fits into the general concept, then the person really lived by it and used what he is talking about.

These are all the things I look for when looking for new people. I hope this information will be useful both to my TeamLead colleagues and to applicants who will know what qualities they need to develop to successfully pass an interview.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *