At the May 2025 edition of LeanAppSec Live, we were lucky to have Jeevan Singh (Director of Security Engineering, Rippling) join us to talk about essential skills for application security engineers, and how that’s changing in the age of AI. As a leader and hiring manager, Jeevan has years of experience interviewing security engineers at tech companies, and through that experience he’s developed a philosophy on how to determine if candidates have the right skills to join his team.
You can watch the 30-minute session, including audience Q&A. To download his slides or see the full replay, register for the on-demand version.
Jeevan breaks skills down into four categories:
- Application security
- Software development
- Influencing
- Program management
And of course there’s a fifth “bonus” category: AI.
Application Security Skills
This is your core technical AppSec knowledge and involves being able to perform threat models, run a bug bounty program, integrate and understand data from security tools like SCA, and working closely with engineers to remediate specific vulnerabilities. The key isn't just finding vulnerabilities, but understanding the story the data tells you and focusing on fixing full classes of vulnerabilities. The goal is building secure paths with the least friction to reduce the attack surface.
Demonstrating AppSec skills in an interview
Jeevan's interviews test AppSec skills through rounds on threat modeling, secure design (where you architect solutions and discuss controls), and secure code review. He says to expect questions on common web application vulnerabilities and general security concepts (like TLS encryption), and be ready to deep-dive into your past security projects.
Software Development Skills
This is called out as a baseline requirement for all levels of AppSec engineers, regardless of seniority. Jeevan shares several examples of how a security engineer uses development skills in his team:
- Basic automations: Like pulling data from an API and storing it.
- Advanced automations: Using data to drive impact, like creating Slack bots to reduce friction with vulnerability tickets or managing SLAs.
- Build security controls: Creating middleware for authentication or validation, understanding edge cases and corner cases.
- Build security features: Developing user-facing features like SSO or MFA to reduce specific risks (e.g., account takeover).
- Embed with Engineering: Working directly within an engineering team on complex or sensitive features to provide hands-on security support while building functionality.
Demonstrating software development skills in an interview
As might be expected, candidates for Jeevan’s team must demonstrate they can write software. There's usually a dedicated software development interview round, and the secure code review round (from above) also provides signal here. You should be prepared to discuss projects where you built automations, controls, or features, or where you worked closely with engineering.
Jeevan notes that diverse work histories can be a huge bonus. Taking a "detour" through software development roles can significantly accelerate your security career, and it’s highly beneficial to have a background in roles like DevX, DevOps, Infra, Platform, Data Infra, or even Product Management.
Influencing Skills
Because AppSec teams are lean and can't fix everything themselves, influencing engineers and others is a massive part of the job. Jeevan shares how a security engineer should be able to influence various groups of people in the organization based on their needs:
- Individual Contributors: Need technical, software-grounded communication to help them directly fix vulnerabilities. Trust is key here, built by presenting accurate, exploitable issues.
- Engineering Managers: Need data-driven communication to understand security priorities and ensure vulnerabilities are fixed.
- Directors: Work with them to drive strategy and initiatives, track progress, and ensure their teams meet security goals (e.g., clearing critical/high vulns by a certain quarter).
- VPs: Talk to them to drive higher-level strategy across their organizations. Getting VP buy-in helps push security initiatives down the chain of command, as engineers often listen more to their VPs than individual security engineers.
Demonstrating influencing skills in an interview
Communication skills will definitely be assessed during technical rounds, so keep this in mind! If a software engineer is present in your threat modeling or secure design round, it's a chance to show collaborative influence. If there’s a role-playing scenario where you explain security concepts to an interviewer pretending to know nothing about security, this is a direct test of your ability to communicate and persuade. And as with other companies, Jeevan’s interview loops include a round where the hiring manager seeks to understand how you achieved impact and influenced others.
Program Management Skills
Many security projects are long-term efforts (9-15 months). Program management is an underappreciated skills set that’s essential for driving impact. Several examples of key program management skills are:
- Defining the project's vision and goals
- Creating documentation to align stakeholders
- Setting milestones and estimated delivery dates (show value throughout the project's life, not just at the end)
- Holding stakeholders accountable
- Providing regular status updates to leadership
- Using data and metrics to measure and calculate impact
Demonstrating program management skills in an interview
Be prepared to discuss large projects you've run, and have concrete examples of 1-2 high-impact projects you’ve managed. Explain how you defined goals, set milestones, managed stakeholders, provided updates, and, most importantly, measured the impact using data. For example, if you integrated a tool like SCA, talk about the results – how you ensured developers fixed vulnerabilities, tracked the outcome using data/trend charts, or implemented gates to prevent future issues, not just that you integrated the tool.
AI Skills
AI is changing the application security engineering role in many ways, which can be summarized in two trends.
- Increasing output: AI helps developers build features faster and security teams with tasks like coding and operational work.
- Decreasing toil: Many vendors are incorporating AI into security tools, offering features like security co-pilots, advanced SAST, and even tools mimicking pentesting.
While increased productivity could potentially lead to fewer security roles as individuals become more efficient, AI also introduces a whole new world of vulnerabilities and attack surfaces. To adapt to these changes and stay relevant, Jeevan suggests that individuals learn more about AI and AI security gaps. This new area of expertise could potentially become a fifth bucket of required skills, or at least a crucial subset of application security skills.
Getting skilled in AI creates new opportunities for AppSec engineers on the bleeding edge, but understanding AI security is likely to become a requirement for everyone.
If you want more of this kind of content, follow us on LinkedIn or subscribe to email updates!
