I have started as the head of AppSec/ProdSec a few times in my career. I also had the interesting position of integrating multiple acquisitions at a previous job which was very similar to being the head of AppSec. I wanted to share my general list of questions I ask out of the gate and other things I try to learn in a short timeline. Hopefully, this is useful to people who are in a similar position and have never done it before. I am sure I will miss a few things and as always it is dependent on the culture of the business you are joining. I also think this can be useful to anyone who is starting at higher levels in AppSec/ProdSec.
Development Information
- What languages are used?
- What are all of the ways code is stored (almost every company seems to have more than one place they store code in my experience)?
- How are the applications built and deployed?
- Who are the people who have been around the longest? I use this information to figure out who to talk with to understand how the applications have changed and how they are connected.
- What type of testing is done?
- Are there any system diagrams or documents on the system architecture?
- Where do the devs track their work and bugs/issues?
Cultural Information
- How does communication happen?
- Are there unspoken times when meetings aren’t supposed to happen?
- What is the best way to talk to parts of an organization en masse?
- Do groups do get togethers / team building events / launch parties / celebrate their successes? If so, how?
- How does the company give feedback and kudos (if at all)?
Security Team Information
- What are the different security teams?
- How does vulnerability management work?
- Who is the old guard on the security team?
- What tools are in place and how well are they being utilized?
- What vulnerabilities have been found in the past and where they fixed?
- If consultants are used, I like to read the output from the engagements.
Misc Information
- I will often load up 10,000 tabs of information that I can find either in a confluence, wiki, google docs, etc.. Just to start to learn other bits of information about the company as whole.
- I will also schedule many meetings with as many people as I can to learn about the company. I will often ask the following questions:
- Who else should I talk with?
- What is the thing that needs to be improved the most here?
- What have your interactions been with the security team so far?
Well, that is about it. This might seem like a long list but learning how an organization works requires a lot of information at least from my experience. Also, many times it is easy to answer multiple questions at once. I also view this as something I rarely stop learning about and to find my initial answers usually takes me two to three months at an organization. That will of course change depending on the size of the company.