How do Security Champions enable an AppSec culture?

A Security Champions program trains developers to drive your firm’s AppSec culture, resulting in a direct impact on the resiliency of your firm’s software.

What are Security Champions?

Security Champions are developers who have a direct impact on the resiliency and security of their firm’s software. They’re enthusiastic volunteers willing to participate in advanced software security training to perform an important role. They’re also a part of a greater community of Champions exchanging ideas and techniques.

Since Security Champions come from within the development organization, they have the right relationships to better assist developers, testers, and architects in accomplishing their goals. Security Champions can usually communicate more effectively with software teams than the centralized software security group (SSG) can.

How do you design a successful Security Champions program?

Consider these two important parameters when designing a Security Champions program:

1. Breadth versus depth of duties. Should Security Champions serve primarily as developers with a focus on security? Should they concentrate on performing all the secure development activities on behalf of their teams? Or should they be responsible for security activities across multiple teams as embedded security personnel?
2. Time commitment. How much time will Security Champions need to perform the duties outlined above? Should they be part-time or full-time?

These parameters are major factors in the design of your organization’s program. You might have Champions who work primarily as developers but also play a larger role ensuring their applications are secure. Or your Champions might spend all their time performing security reviews, providing remediation assistance, and training developers across a portfolio of applications.

Types of Security Champions programs

Among our customers, we’ve observed three primary types of programs: training-focused programs, activity-focused programs, and hybrid programs.

To determine the best approach for your organization, start by clearly defining your program goals. Do you need to scale a comprehensive set of security activities across the organization to keep pace with agile teams using dedicated staff? Or would you rather focus on training developers to be more security-minded when they write code?

Training-focused program

In a training-focused Security Champions program, developers undergo advanced training through e-learning and/or instructor-led courses. Once the initial training is complete, they resume their development responsibilities. They should also have backing from a Security Champions community to whom they can reach out for support. After initial training, Champions should attend periodic technical talks and events to stay current on industry trends and new risks.

Merits of the training-focused approach:

• Requires minimal time commitment after initial training
• Contributes a resource to development teams who can drive the adoption of security requirements, policies, and tools
• Imposes a low cost on the organization
• Provides a source of feedback to help improve the SSG’s impact

Activity-focused program

At the other end of the spectrum are activity-centric Security Champions programs. This approach builds on the same training but extends its reach to encompass all secure development activities for a collection of teams. In this approach, Champions are assigned a portfolio of applications—usually related to teams with whom they’ve worked previously. They undergo specific training to build new skills so they can perform various security activities throughout an application’s development cycle. In this capacity, Security Champions oversee adherence to the organization’s secure SDLC.

Merits of the activity-focused approach:

• Provides a way to scale security activities throughout the organization’s development teams
• Nurtures the organic growth and development of new security experts
• Assigns dedicated security experts to applications

While an activity-focused Security Champions program provides a great deal of value, it’s more complicated to establish. It involves careful attention and maintenance. And it requires a greater time commitment, which can also seem costly—though if it’s created and managed effectively, the benefits will greatly outweigh the costs.

Hybrid programs

Funding full-time Security Champions isn’t realistic for most organizations. Instead, many have put together successful hybrid approaches that find a middle ground between training-focused and activity-focused programs. In a hybrid Security Champions program, part-time Champions are responsible for providing remediation guidance and performing a smaller set of security activities while maintaining their responsibilities as developers. Thus, the SSG can still provide value while managing costs.

Get the free eBook: Security Champions and DevSecOps