Joel Test for AppSec

At the OWASP Summit 2017, there was held a session on Recruiting AppSec Talent with the purpose of improving the recruitment cycle, including improving job postings and suggested next steps for AppSec Managers looking for long-term growth of their team.

We discussed the gap between companies’ needs to recruit talented AppSec people, and attracting the best AppSec people to work at their company. The Joel Test is a quick indicator of Development culture: an irresponsible, sloppy test to rate the quality of a software team. We adapted the Joel Test to be a quick indicator of a company’s AppSec culture. The test’s purpose is to help companies attract the right talent and help talent to find the right company

First draft of the AppSec Joel Test (in no specific order):

• Does the company fund ongoing education for AppSec hires?
• Do developers undergo periodic AppSec training?
• Do AppSec people have a quiet working environment?
• Are there both offense and defense teams; do they work together?
• Can the AppSec team delay release (or fix) a new version or product?
• Is the AppSec team involved throughout the development lifecycle process?
• Can I access developers directly?
• Are security bugs treated like functional bugs?
• Is there some form of SDL / Maturity model / or other process in place?
• Can AppSec people choose their own tools (paid for by the company)?
• Is there a dedicated Incident Response team?
• Does the company contribute to Open Source and community efforts (or support personal contributions)?