> For an appsec team to have a chance in hell they need to be able to understand the application code, no?
No, especially for networked services.
There is a lot of homework that has to happen for security teams to even begin to look into the actual source code.
What you need to learn is how the application interacts with the outside world and how to secure those mechanisms. It can be a black box – and for the most part it should, otherwise you'll be bogged down in minutia while there are big holes waiting to be plugged.
What you may need to understand in more depth is the protocols in use and access controls. But again, the programming language or the exact code matters little. Even if you have to do stuff like correctness proofs, congratulations! You are now part of the development team. Now you need to add security folks to look into the big picture again.
Technically if addressing the flaws that deep can be valid. But this was major low hanging fruit - not having proper protection on their cloud servers was what made this breach and that is a config not a language issue on the technical end. On the management end it is an issue of utter user technical incompetence.
This seems like a reasonable complaint given that it’s a problem for polyglot dev teams.