Posted by Brendan Sheairs on October 12, 2017
Security Champions are developers who have a direct impact on the resiliency and security of their firm’s software. They are enthusiastic volunteers willing to participate in advanced software security training to perform an important role. They are also a part of a greater community of Champions exchanging ideas and techniques.
Since Security Champions come from within the development organization, they have the right relationships to better assist developers, testers, and architects in accomplishing their goals. Security Champions can usually communicate more effectively with software teams than the centralized software security group (SSG) can.
Consider these two important parameters when designing a Security Champions program:
These parameters are major factors in the design of your organization’s Security Champions program. You might have Champions who work primarily as developers but also play a larger role ensuring their applications are secure. Or your Champions might spend all their time performing security reviews, providing remediation assistance, and training developers across a portfolio of applications.
Among our customers, we have observed three primary types of programs: training-focused programs, activity-focused programs, and hybrid programs.
To determine the best approach for your organization, start by clearly defining your Security Champions program goals. Do you need to scale a comprehensive set of security activities across the organization to keep pace with agile teams using dedicated staff? Or would you rather focus on training developers to be more security minded when they write code?
In a training-focused program, developers undergo advanced training through eLearning and/or instructor-led courses. Once the initial training is complete, they resume their development responsibilities. They should also have backing from a Security Champions community to whom they can reach out for support. After initial training, Champions should also attend periodic technical talks and events to stay current on industry trends and new risks.
Merits of the training-focused approach:
At the other end of the spectrum are activity-centric programs. This approach builds on the same training but extends its reach to encompass all secure development activities for a collection of teams. In this approach, Champions are assigned a portfolio of applications—usually related to teams with whom they’ve worked previously. They’re expected to perform various security activities throughout an application’s development cycle.
An activity-focused program might require the Champion to perform the following tasks during the SDLC:
Security Champions undergo specific training to build new skills needed to perform activities at different stages of the SDLC. In this capacity, Security Champions oversee adherence to the organization’s secure SDLC.
Merits of the activity-focused approach:
While activity-focused programs provide a great deal of value, they’re more complicated to establish. They involve careful attention and maintenance. And they require a greater time commitment, which can also seem costly—though if they are created and managed effectively, the benefits will greatly outweigh the costs.
Funding full-time Security Champions isn’t realistic for most organizations. Instead, many have put together successful hybrid approaches that find a middle ground between training-focused and activity-focused programs. In hybrid programs, part-time Security Champions are responsible for providing remediation guidance and performing a smaller set of security activities while maintaining their responsibilities as developers. Thus, the SSG can still provide value while managing costs.