A Security Champions program trains developers to drive your firm’s AppSec culture, resulting in a direct impact on the resiliency of your firm’s software.
Security Champions are developers who have a direct impact on the resiliency and security of their firm’s software. They’re enthusiastic volunteers willing to participate in advanced software security training to perform an important role. They’re also a part of a greater community of Champions exchanging ideas and techniques.
Since Security Champions come from within the development organization, they have the right relationships to better assist developers, testers, and architects in accomplishing their goals. Security Champions can usually communicate more effectively with software teams than the centralized software security group (SSG) can.
Consider these two important parameters when designing a Security Champions program:
These parameters are major factors in the design of your organization’s program. You might have Champions who work primarily as developers but also play a larger role ensuring their applications are secure. Or your Champions might spend all their time performing security reviews, providing remediation assistance, and training developers across a portfolio of applications.
Among our customers, we’ve observed three primary types of programs: training-focused programs, activity-focused programs, and hybrid programs.
To determine the best approach for your organization, start by clearly defining your program goals. Do you need to scale a comprehensive set of security activities across the organization to keep pace with agile teams using dedicated staff? Or would you rather focus on training developers to be more security-minded when they write code?
In a training-focused Security Champions program, developers undergo advanced training through e-learning and/or instructor-led courses. Once the initial training is complete, they resume their development responsibilities. They should also have backing from a Security Champions community to whom they can reach out for support. After initial training, Champions should attend periodic technical talks and events to stay current on industry trends and new risks.
Merits of the training-focused approach:
At the other end of the spectrum are activity-centric Security Champions programs. This approach builds on the same training but extends its reach to encompass all secure development activities for a collection of teams. In this approach, Champions are assigned a portfolio of applications—usually related to teams with whom they’ve worked previously. They undergo specific training to build new skills so they can perform various security activities throughout an application’s development cycle. In this capacity, Security Champions oversee adherence to the organization’s secure SDLC.
Merits of the activity-focused approach:
While an activity-focused Security Champions program provides a great deal of value, it’s more complicated to establish. It involves careful attention and maintenance. And it requires a greater time commitment, which can also seem costly—though if it’s created and managed effectively, the benefits will greatly outweigh the costs.
Funding full-time Security Champions isn’t realistic for most organizations. Instead, many have put together successful hybrid approaches that find a middle ground between training-focused and activity-focused programs. In a hybrid Security Champions program, part-time Champions are responsible for providing remediation guidance and performing a smaller set of security activities while maintaining their responsibilities as developers. Thus, the SSG can still provide value while managing costs.
Brendan Sheairs is a managing consultant and serves as a subject matter expert for Security Champions projects at Synopsys. He works closely with organizations to design, build, and implement their software security initiatives in markets such as healthcare, finance, and telecommunications. In addition, he works with various teams of principal consultants, senior consultants, and consultants to manage and oversee the delivery of Synopsys services to clients in the Mid-Atlantic region. Brendan has led several projects with a number of Fortune 50 companies to implement and mature their Security Champions initiatives. He has been a CSSLP since 2013.