While DevOps can mean different things to different people or organizations, ideally security is an implied requirement of successful DevOps and there’s no need to differentiate by adding the “Sec”. Security should already be embedded.
However, while one of the main promises of DevOps is the collaboration between different teams involved in development, security teams are often under resourced (or lack resources with software security skills) to effectively integrate into all of the active development project teams. A successful approach to mitigate this resource challenge and to extend the Application Security team reach into development teams is to build a Security Champion program.
In this blog, I’ll cover what makes an Application Security Champion, how you identify them, what their responsibilities are, the benefits of having a Security Champion program, and more. You can also view our Fortify Unplugged YouTube video on the same topic: What Makes a Application Security Champion. I hope you enjoy this topic, and feel free to leave a comment or question down below. Now, let’s dive in!
What is an Application Security Champion?
A Security Champion is someone who becomes the team’s security lead in a development project. BSIMM uses the term “satellite” to refer to a group of individuals leveraged by the Software Security Group (SSG) to support secure software development. They have also been referred to as security evangelists or black belts.
Whatever you call them, here’s the issue. The culture of DevOps is about improving the SDLC and reducing the complexity of maintaining software. Security needs to be a part of that, and many times they seem out of sync with Development. Security Champions can help by bringing together developer and security mindsets so that the two roles can better understand each other.
What’s key is that Security Champions ultimately need to have passion or enthusiasm around improving the security posture of applications.
How do you identify Security Champions?
The background of a Security Champion can vary. They could be from development, QA, or be an Architect. Like I mentioned above, Champions usually have the background necessary to be credible when dealing with developers on a project team, to be that bridge.
When the leader of the Champions program is identifying potential champions, they need approval from managers at all levels, from product owners and direct team managers as well as buy-in from the security side of the house. They should strive to over communicate. Development leadership can also help in the identification of potential champions. They can choose eligible candidates and assist in interviews to judge their capabilities, including soft skills like interpersonal communication which is important for the role.
You may also have to sell the role to the Champion candidates. You need to describe the role clearly and explain the strategy you plan to adopt as well as the advantages of becoming a Security Champion. These could be:
- The chance to attend various security conferences
- Being a part of the security meta-team
- Personal development and the ability to look at things differently
- An opportunity to grow their current job duties (if they are a flight risk)
What are the specific responsibilities of a Security Champion?
Specific responsibilities of a champion can vary by organization. In general, as the security lead on a project team they:
- Raise risk issues in existing code and may conduct SAST or DAST scans;
- Enforce secure coding best practices;
- Help prioritize security stories in the backlog of a project;
- Develop threat models for new features if that’s part of their process;
- Monitor for vulnerabilities in open source software or in the dev tool chains being used
- Investigate bug bounty reports, if a bug bounty program is in place.
The Security Champion is the one who has to validate the huge amount of security issues and usually is required to—over and over again—explain to the team what a SQL injection or XSS vulnerability is and why developers should care.
It is important to note that protecting security best practices is not just up to the Security Champion. Rather, it is a collective effort of the entire project team. So ultimately what you want is the entire team working with the Security Champions to ensure the security of the application.
What part of the organization do Security Champions report into?
Security Champions usually have a dotted line relationship with the SSG or AppSec team, but they are not sourced directly from the cybersecurity team. The AppSec team usually has someone that will oversee the Champions program, but the cybersecurity team does not have the pool of resources necessary, either in numbers or skill sets to source the coverage needed for Champions. Depending on the scope of custom development going on within the organization, you may need 10’s of champions to cover active development projects. Usually they would formally report up through the development or QA side of the house.
How do Security Champions get up to speed to be able to effectively deliver on their responsibilities?
Once you have nominated someone to be a Champion, you’ve got to make them feel special. They are now part of the cybersecurity meta team or community. They should officially be welcomed to that broader team and get some swag so they can have a bit of swagger. Opportunities for continuous learning and fun activities for the champions is also helpful.
Application security is its own discipline that requires specialized knowledge. Similarly, these champions will need to grow their knowledge on secure coding best practices and, more broadly, on cybersecurity. Some organizations have a training regime that has a progression of “belts” demonstrating competency. Those that achieve black belt status are respected as true champions, adding to their professional swagger.
Some firms initially bring in consultants who are experienced at being Security Champions in DevSecOps and they model the role and help build up the internal resources that can eventually take over.
What resources are out there to help people become Security Champions?
The role definition should be agreed to and posted for reference. It may evolve. The secure development best practices and target risks/vulnerability categories should be clearly defined and available to Champions.
Other AppSec resources available include:
- OWASP Security Knowledge Framework;
- OWASP Application Security Verification Standard;
- SEI CERT Secure Coding Standards;
- SAFECode Secure Development Practices;
- Firms like SecureCodeWarrior have fantastic resources available to train up Champions.
Besides identifying likely individuals, the challenge is to keep the champions motivated. The Champions program leader should run activities like security quizzes or hackathons. Do a security defect of the month spotlight, or a Security Champion’s monthly newsletter.
How do you ensure Champions communicate effectively?
Security Champions are required to communicate consistently with their team members and project leaders. They should be able to use any of the various communication channels available in the company to collaborate effectively.
Security Champions also need to combine as much of the technical data as possible to provide the team safe and secure access, thereby fostering a collective approach toward secure product development instead of keeping everyone in remote smaller groups who don’t exchange knowledge.
I recommend an internal collaboration knowledge base like a Wiki. You should also set up communication channels like Slack for champions to share amongst themselves and/or the security meta team.
What are the benefits of having a Security Champion Program?
Security Champions play a significant role in DevOps because they introduce a sense of responsibility of security within their department. Their participation typically starts small and increases gradually. They can help ensure that there really is a “Sec” in DevSecOps.
A desired outcome is for the Champions program to create and foster a security culture in the development project teams they support. Sustainable security culture requires that everyone in the organization is all in. An organization’s security culture is not something that grows in a positive way organically. You must invest in a security culture with your development teams to be successful. Once a Champions program is established properly, the champions will greatly help spread security across the organization and in achieving future Application Security goals. It’s also fun to see how most of them buy into the role, get enthusiastic and develop professionally.