WAHH and The Art Of Software Security Assessment (TAOSSA) were the other two. We didn't grill candidates on crypto or have work-sample tests that involved crypto. Sadly: you'd be discarding 95% of the candidate pool, and particularly and paradoxically the experienced candidate pool, if you screened for crypto ability. The software security field is just awful at crypto.