https://wiki.owasp.org/index.php?action=history&feed=atom&title=Joel_Test_for_AppSecJoel Test for AppSec - Revision history2026-04-04T15:36:55ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Joel_Test_for_AppSec&diff=237898&oldid=prevAvi Douglen: Created page with "At the [https://owaspsummit.org/ OWASP Summit 2017], there was held a session on [https://owaspsummit.org/Outcomes/Education/Recruiting-AppSec-Talent.html Recruiting AppSec Ta..."2018-02-19T23:51:38Z<p>Created page with "At the [https://owaspsummit.org/ OWASP Summit 2017], there was held a session on [https://owaspsummit.org/Outcomes/Education/Recruiting-AppSec-Talent.html Recruiting AppSec Ta..."</p>
<p><b>New page</b></p><div>At the [https://owaspsummit.org/ OWASP Summit 2017], there was held a session on [https://owaspsummit.org/Outcomes/Education/Recruiting-AppSec-Talent.html Recruiting AppSec Talent] with the purpose of improving the recruitment cycle, including improving job postings and suggested next steps for AppSec Managers looking for long-term growth of their team. <br />
<br />
We discussed the gap between companies’ needs to recruit talented AppSec people, and attracting the best AppSec people to work at their company. The [https://www.joelonsoftware.com/2000/08/09/the-joel-test-12-steps-to-better-code/ Joel Test] is a quick indicator of Development culture: an irresponsible, sloppy test to rate the quality of a software team. We adapted the Joel Test to be a quick indicator of a company’s AppSec culture. The test’s purpose is to help companies attract the right talent and help talent to find the right company<br />
<br />
First draft of the AppSec Joel Test (in no specific order):<br />
* Does the company fund ongoing education for AppSec hires?<br />
* Do developers undergo periodic AppSec training?<br />
* Do AppSec people have a quiet working environment?<br />
* Are there both offense and defense teams; do they work together?<br />
* Can the AppSec team delay release (or fix) a new version or product?<br />
* Is the AppSec team involved throughout the development lifecycle process?<br />
* Can I access developers directly?<br />
* Are security bugs treated like functional bugs?<br />
* Is there some form of SDL / Maturity model / or other process in place?<br />
* Can AppSec people choose their own tools (paid for by the company)?<br />
* Is there a dedicated Incident Response team?<br />
* Does the company contribute to Open Source and community efforts (or support personal contributions)?</div>Avi Douglen