We recruit primarily for mid-to-senior level roles (5-15 yrs experience), and it's the former. I get a lot of candidates that can recite what XSS is at a high level, but for example struggle to explain the things to watch out for that would indicate a possible XSS vulnerability.
One of the other issues I see is that we should be able to take the above-described candidate, which is maybe not exactly what we need but shows promise, and train/mentor them into the type of security professional that we need. But my company (and most others I've seen) are also just really bad at security training and career development. It's a real problem, IMO, that security is treated as an "experienced people only" industry, and is not very welcoming to people that aren't already experts but are willing and able to learn. We are trying to change this in my organization, but it's slow and challenging.
> I get a lot of candidates that can recite what XSS is at a high level, but for example struggle to explain the things to watch out for that would indicate a possible XSS vulnerability.
To be fair, from a devs perspective you need to flip it around in your brain, in order to go from e.g. "you need to sanitize user input to make it safe for a javascript context" to "seeing unsanitized user input that could be getting injected into a script." Even if you know all the right answers, it's still probably not going to come out super eloquently. (And I realize there are other and better answers also, but just to choose one that's easy to explain.)
Something needs to be done at a fundamental level and finding some easier qualification in terms of security professional before this problem could be fixed.
One easy way to fix it would be market economics. Make senior security roles paid grade a lot higher than comparative other similar software engineering roles. These incentives should balance things out in time.
Otherwise I am looking at security professional death spiral.
One of the other issues I see is that we should be able to take the above-described candidate, which is maybe not exactly what we need but shows promise, and train/mentor them into the type of security professional that we need. But my company (and most others I've seen) are also just really bad at security training and career development. It's a real problem, IMO, that security is treated as an "experienced people only" industry, and is not very welcoming to people that aren't already experts but are willing and able to learn. We are trying to change this in my organization, but it's slow and challenging.