Show that security checks are automated in the pipeline, not manual gates. Developers should get fast feedback on security issues, not a report two weeks later.
Look for: dependency scanning, SAST/DAST tools in CI, secrets management (not in code), container image scanning, least-privilege access controls, network segmentation, and security review processes. Best candidates discuss shifting security left and making it a developer responsibility, not just a gate.
DevSecOps is increasingly expected. Candidates who treat security as someone else's problem are a risk. Look for practical integration, not just policy awareness.