BSidesSF 2026 - More Role Models in AppSec: How to Get It Right (Alexandra Charikova)

I would love to introduce you to Alexandra Cherkashina with her new talk on moral models in AppSec and how to get it right. Um, please welcome our next speaker. Thank you. So, hi everyone. Thanks for joining. I know it's the end of the day. Everyone is a little bit tired, so it's time to take a take a seat, relax, and you'll get to the drinks afterwards. And well, to get started, I just want to take it like get it out of the way. I'm not here to tell you how to run scanners, how to triage vulnerabilities, or how to understand specific type frameworks. I'm personally not an AppSec engineer. I'm an AppSec community builder who kind of

got obsessed with the question after talking to over I think 100 plus or more security leaders, why did most of them say that the hardest part of the AppSec job is actually have nothing to do with a penetration testing or scanning or tech stack, but it has to do with humans. And kind of my question is how do we also create representation, enough representation to cover not only the technical aspect, but also human aspect. And this is kind of the question that brought me here today. But before I dig into the answers, I kind of wanted to ask the room something. How many of you had a role model when they started their career? Okay, well, some of you, some not. And

if you can keep it up if it they look you think they kind of resemble to what you've become today or resemble to you in some way. Okay. Well, some of you. Um, and I think that's what we see kind of a lot today. And for those I've seen some of you who didn't have role models or those who are not in the AppSec field, what mindset kind of comes to mind when you think about career in AppSec? And something that we see a lot, it's either someone who breaks the applications, someone who checks the vulnerable code, especially well, now how much how many bad coders are out there can be quite frustrating, um, which I hope no one smashes

computers like that when they see yet another vulnerability introduced by AI. Or well, someone who is building the relationships with the developers and other stakeholders across the field, which is like often at least what I've heard from the conversation is the hardest part of it. And all of these are kind of valid aspects of the AppSec jobs on a team, but I talk is also about how do we ensure that we cover a diverse set of these personalities to ensure that AppSec teams are set for success. And especially the last one by building the role models who represent all aspects of the job. But before we dive into conversation, kind of standard last slide of who am I? I'm growth and

community builder at the company that's called Escape. It's an offensive security platform. I'm also the elephant in AppSec podcast host. Check it out on YouTube. I also co-organize BSides Amsterdam and OWASP AppSec Days France. Um, started last year. This year we're continuing again. Former engineer that kind of turned into a growth and community in security. And also I love everything about food. So, if you have any tips for San Francisco, please come by after me and tell me. I'll be happy to to hear them. >> [snorts] >> And as to continue my point, after interviewing a lot of leaders, I think one of the quotes that stood out is from Jacob Solomon on that people

problems are actually very challenging and hard and probably the hardest ones to address. And they we cannot apply the same engineering approach to them as we would normally to the engineering problems and they're very hard to solve. And also something that I wanted to highlight is the AppSec theory practice gap is something that's real. So, for example, this image is made by Neha The Melak from one of her articles that I read on the blog that's called Venture Security. She's an AppSec engineer. And something that I wanted to highlight is what lives kind of in the chasm, the information asymmetry, integration complexity, velocity versus rigor. And these are not always the problems that you fix with

the better technical solutions. These are the problems that you can fix by having actually people on your team who are trusted by the people they trying to protect. And building trust is something we talk a lot about in security in general. And building trust is a people skill. And you cannot really automate trust between a security team and engineering team. And you have to earn it. So, who actually succeeds at bridging this gap? What does this person look like? We'll also talk about that later. And another important point that I wanted to highlight, it's not something that's really unknown, but there is a diversity gap in AppSec, which potentially contributes to covering the diversity set of skills. And well, here

I focus specifically on gender since it's something I witnessed firsthand through organizing the community events. And I hear there are a bunch of things that we see and we don't see. Something that we don't see in this there is a number that I pulled out from ISACA's 22% of secure like women represent at 22% of security teams on average. It's something that in less I've seen the of the security teams we are working with at Escape, the diversity is quite low. And also the conferences that I've organized. So, for example, at BSides we had among 15 like at actual OWASP conference we had among 15 speakers like one woman. And BSides it was a little bit

better. And the problem comes actually from the call for papers. And it's actually out of 100 applications. I'm not sure if you can guess how many we've received that were by women. And we even partnered with local security with local women in security private in privacy groups. We've sent out DMs. And there were six um, out of more than 100. So, what I wanted to highlight also here is that it is in a natural self-reinforcing system. So, we see fewer fewer models on the stage. And there are potentially fewer applicants in that because they don't see themselves being there. There are fewer speakers. And even and that contributes to even less role models. And this is something that

doesn't fix itself. And it requires someone who thinks about those problems and kind of tries to interrupt the cycle. And the truth the truth is is that we tend to pick people who resemble to us and celebrate people who resemble to us in some way. And the archetype you celebrate is also determines who belongs next to you. And for example, this framework is from Larkin Carvalho who is reading an article on the Secure Crafting blog. It's a very interesting article, so highly recommended. There is a link on the slide. Um, well, I also made archetype poster on that time actually without realizing based on the podcast conversation. It looked different. But if you're curious about it, feel free to stop by after the

talk. But here there are four different um, archetypes that you can see, the orchestrator, the builder, the specialist, and the rapid responder. All of them represent different sets of skills. And you can see for example that the orchestrator one is succeeds for relationships and mainly coalition building. So, there is more technical brain of no single technical superpower. It's kind of jack of all trades at scale. But at scale this person is actually who gets security programs to move in a large organization. And this is the archetype we don't always think about. And it's a bit harder on hiring side as well. So, what makes a role model of AppSec? I think everyone would define it

differently. On my side what I could think about from the conversations, it's more diverse leaders who combine technical and people skills, showing that AppSec is accessible for everyone, wherever you coming from. Um, and I think something to thought about think about is that after um, 100 plus interviews, especially on a different level, the one thing that showed that sometimes the AppSec problems worked from those that didn't wasn't specifically always technical knowledge. It was whether the security team was trusted internally, had a good internal brand, and was trusted by developers as well. And that's something that comes more and more the more you grow you go up the application security ladder. And well, soft skills are often treated as a bonus

for technical people, something that you might learn or not. But I think something to think about just for yourself that wanted to highlight in this talk, what if we flipped it and treated technical skills as the bonus for some profiles on AppSec team with the soft skill coming first. With the exception when you are one person AppSec working for AppSec and of course you have to work kind of be all at all places at once. Um And there are some quotes that I wanted to put that highlighted this point of view. One from Kun Hendrick, director of product security at Zendesk and another one from Kavya who's director of product security at Signal Group. So I think

they both are highlighting this point that the relationship with engineering team is something that's incredibly important. The fact that security is internal marketing and that it's marketing itself is a skill and it's something needs to be built and developed and it's a muscle that you can train essentially and also of course giving and I think in the both quotes you can see there that actually building that trust giving a carrot to engineers and Kavya's experience she saw the huge difference when they just when they treated the relationship more as giving something instead of stick. And another part on the mentorship, I think what is really important that actually finding that right mentor is essential for for growth of someone and

it's something that you kind of can if you have a role model, if you have a mentor, if you have someone that you are inspired you can always reach out to them. That's again what is important in that specific point is that you have to it has to be someone with whom you resonate who understands where you coming from and that's the something that we see as well. So again maybe to step back a little bit and think about kind of what makes a role model because for everyone it's going to be a different thing. What is a role model else actually doing and that's something I wanted to think about not only about what they represent, not

what they symbolize in itself, but what happens kind of inside someone when they see someone they recognize as their role model because if you if you see them you think and if they can I can. That's it and that's the whole thing like they don't need to know you exist and you just need to see them and that's something that may be very different from a mentor. A mentor needs a relationship one of the good kind of cyber mentoring um sessions. I don't know some of you know that if you work in AppSec most likely you know Tanya Janca but every Monday she organize cyber mentoring sessions and it's a great example of that but I think

it's it's something that's very valuable. But I wanted also to highlight the last part that there is a sponsor which is someone that we don't always use as a important word. We kind of talk about role models, we talk about mentorship especially about mentorship but the sponsor is someone who uses actually their capital for you. They put your reputation behind someone who hasn't proven in that context yet context yet and they open the doors and sponsorship is actually the mechanism that and redistributes power and not just giving opportunity but also power to succeed so part of answer is here when you think about why they kind of diversity gap is also self-reinforcement and why they

feedback loop I mentioned at the start doesn't break. And coming on that point I think visibility in itself is a resource and the question is are you for example in your personal life also redistributing it equally for the people that you are working with? And I think if you have enough visibility and you have enough representation it's also inspiration for newcomers in the field. And I think bringing more diverse profiles through showing them how to succeed is incredibly important. And I think something that's maybe worth highlighting that you don't have to be AppSec engineer, AppSec manager or product security director to provide visibility for someone who is just passionate about application security. And that's one of the cases that I'm really proud

of of hearing is the feedback that I had after one of the podcast recording from a security engineer who works at large bank in the Netherlands and well her general focus was on API security but she came to me 8 months after that so after recording and she told me that it has really impacted her career that she got invitations for her leading to all the different conferences. All the at the conference people came to speak to her to ask to be their mentor. So she was started to be seen as the role model for someone more junior and someone started to be aspiring to look like her and contribute to her career. She also

got job interviews for highlighting her experience as well and I think that's something that I feel is really powerful to to do because you create that feedback loop. If we go back again to that part by giving someone visibility there are other people who are actually seeing that person being represented on stage they want them they want to be mentee in a sense and they think okay if she can do it I can do it as well and get started with their career. So how to create those platforms for visibility? There is a difference between external and internal sites so kind of doubling down on that. I just wanted to give some examples from my own experience. So if

you let's say conference organizer there are besides organizers here volunteers or the DNA as well. You can send out direct messages to ask people to apply, partner with local diversity or cyber groups. If you're community lead on the vendor side I don't know there are any in the in the audience. I think it's this is also super easy in a sense to do to make sure you actually invite diverse opinions of speakers on board because there is nothing better to see people with diverse opinions kind of also a bit arguing with each other and make sure that I think something that's important is that we don't always think about when we organize those conferences making sure

that the talks are not only 100% technical but also why relationships with the engineering at scale matter because something we've talked about and there was a quote before is like remembered security in a sense is also partially internal marketing and it could be interesting to do for example a talk how to do internal marketing for application security teams. That's something not I haven't seen but it's it definitely an interesting idea. And well for those who are not a conference organizer but just submit you can try to submit a CFP for your application for a CFP for the first time or encourage someone to submit theirs is just a small step but can as we shown before

significantly impact someone's career someone else's career and let them being seen as the role model and invite more people to to the field. So we're doing now call for papers for OWASP AppSec France till 7th of May. So if you can travel please apply. Um And besides Amsterdam is going to be open later. >> [snorts] >> And something else I've also done is for example with Christine who is a leader of SecOps meetup in Paris we invited security practitioners and well three of them three out of six were in AppSec to come and share and show the kind of the examples of the roles you might have in the field and it's also partially potentially an inspiration

and here I don't want to talk only about women just in general about underrepresented groups to share their experience. And another part so externally giving someone visibility externally might be easier in a sense because that's something we see but how to also give exposure to role models internally it's something to think about. As I mentioned before it's a feedback loop yet again. And you can start by spotlighting someone or the right wins share if they've done something well publicly kind of especially I think most of companies now have all hands meetings it's so easy to just highlight someone someone win someone else's win share a message on Slack. It is gives internal visibility and people move internally so that's

important as well. Also think write about the unglamorous work. What I mean by unglamorous we see a lot of technical blogs how someone uh, build a new scanner. How someone automated XYZ. Um, how someone built another yet AI agent. I can tell on the CFP side we've seen a lot of AI talks, a lot of AI agents talks, and they get more than half of applications. Uh, probably this year even even more. Um, but it can also be and how to, uh, build how to market yourself internally, which is an important uh, skill. And so you can, for example, write a blog post, share it internally, share it externally about something you've actually done if

your company allows that. Um, for example, post how you rebuilt trust with an engineering team uh, that didn't like security. And those that it maybe someone makes someone who is good at people skills uh, think maybe I belong here uh, too. Uh, because for example, it's an accident that we see more and more. Like all of us for right now uh, they're starting to create OWASP security culture group, which shows that there will be more and more emphasis on it also um, in the coming years. And maybe one last thing uh, before I wrap up, I think it's believing young people. Um, that's something that I wanted to highlight because role models don't appear by themselves.

They've created they've created by making an effort uh, around this, by the decisions of leaders in the room like this one. So hopefully uh, you get inspired a bit after uh, this talk by who gets nominated, who gets introduced, who gets the microphone like thanks to uh, Iyana Foundation and uh, think at the start of this talk I think uh, hands like went down for some people when I asked if your role model looked like you, and maybe I hope it's time to think a little bit wider and actually help to build them. Yeah. That's all. Thank you. >> [applause]