6 Steps to Set Yourself up for Success in Your First Two Weeks of Your New AppSec Job
1. Start building relationships with your colleagues, especially the engineering managers. As you will work extensively with them and their teams, it’s imperative to get to introduce yourself as soon as possible.
Be prepared to answer questions about your background, your vision for the AppSec program, how your work may impact theirs, and areas of opportunity that you already see within the company and application to improve your security posture.
Also, come with questions for them — setting up a dev environment is a good excuse to ask questions, not necessarily about implementation, but about whom on their team you should contact to get to know the environment the best. You can also ask about the security mindset of their team, what features they are currently working on, and what security challenges they face.
2. Understand the data flow of the systems you’re protecting. Get a full inventory of your digital assets and how they work together. You don’t have to go too terribly in-depth, (indeed, this may not be possible in your first few weeks), however, it is a good idea to see what you are securing. DFDs (data flow diagrams) are a great resource here if your company has them.
3. Begin to work on a segment of a feature of the application as soon as you can. Not only does this help you dive into how the application works, but it will also sharpen your edge of collaboration and knowledge sharing with your peers.
4. Start (or continue) to read some books on Application Security and the processes of how software is designed and built. My current favorites are ‘Designing Secure Software: A Guide for Developers’ by Loren Kohnfelder and ‘The Phoenix Project’ by Gene Kim et al. The broadening of your knowledge on a daily basis you to familiarize yourself with some resources from jump that you can reference around common themes that pop up in the ensuing weeks. (Mine was authentication — my goodness, so much authentication!)
5. Understand the metrics that your company is measuring success against. CIS scores, OWASP top 10, detailed reports via Snyk or another tool; whatever it is, it’s important to know how your program will be judged…and grants an opportunity to add or subtract any more measurements that you may suggest.
6. Last but not least, ask a *ton* of questions. Verbalizing my confusion in public Slack channels is a pain point for me, as I can feel intimidated whenever I start a new job and miss out on the initial opportunity to know *absolutely nothing* about what is going on with the app. But as a mentor once said, ‘always say the thing’. Even if you struggle with the question itself, it’s better to show your curiosity and engagement than be silent.
With that, my AppSec friends, go forth, and be awesome!