close search bar

Sorry, not available in this language yet

close language selection

It’s time to enlist Security Champions to fuel Agile development

Security Champions can help you apply security activities throughout your organization to promote secure agile development. Here’s how to get started.

Security Champions can fuel secure agile development
A 2015 Gartner report estimated that 25% of Global 2000 organizations would be using DevOps and agile development practices as part of their mainstream strategies by the close of 2016. Our experience with Synopsys customers confirms this prediction has come true.

In agile development, passes through the software development life cycle (SDLC) occur more often than in traditional development models. Some development teams complete an SDLC over the course of two weeks, while others complete one daily.

A traditional software security group (SSG) isn’t equipped to apply security activities to agile development environments effectively. Creating secure agile development processes requires the injection of security-related people, processes, and testing activities at a sprint tempo.

This tempo leaves little time for security teams and resources to review the software, deliver information on security and quality defects, and retest without disrupting the workflow. Even if SSGs dedicate staff to each project (which is usually out of the question), there still isn’t enough local knowledge of each application to get everything done well.

So how can we inject security into agile development?

Get the Security Champions eBook

Enlist developers

Developers are familiar with an organization’s software. They are familiar with the organization’s development groups. And they have a deeper understanding of the technical issues and challenges that the organization faces. Recruit these developers as Security Champions. Train them in defensive programming and how to identify security defects. Additionally, empower them with responsibility for the security of the applications they work on.

What are Security Champions?

Security Champions are developers who have a direct impact on the resiliency and security of their firm’s software. They are enthusiastic volunteers willing to participate in advanced software security training to perform an important role. They are also a part of a greater community of Champions exchanging ideas and techniques.

Since Security Champions come from within the development organization, they have the right relationships to better assist developers, testers, and architects in accomplishing their goals. Security Champions can usually communicate more effectively with software teams than the centralized SSG can.

What are the selection criteria for Security Champions?

It’s important to note some qualities that make a good Security Champion. Candidates provide the most value when they can draw on past development experiences. To do this, Champions must have experience working as developers within a company’s development organization. One way to find Champions is to seek nominations from application owners and stakeholders within this organization. The best way is to recruit those developers who are self-starters in software security topics.

Additional Security Champions criteria:

  • At least two years of software development experience
  • Leadership skills or potential
  • Strong communication skills
  • Hands-on technical proficiency in languages and frameworks within their domain
  • Demonstration of application security aptitude through participation in existing application security activities

Looking ahead

With agile becoming a popular development methodology, a Security Champions program can help an SSG apply security activities throughout an organization and in agile environments. Additionally, Champions have a unique perspective and can provide the SSG with valuable feedback to help guide the continuous improvement of the software security initiative.

Get the free eBook: Security Champions and DevSecOps

Brendan Sheairs

Posted by

Brendan Sheairs

Brendan Sheairs

Brendan Sheairs is a managing consultant and serves as a subject matter expert for Security Champions projects at Synopsys. He works closely with organizations to design, build, and implement their software security initiatives in markets such as healthcare, finance, and telecommunications. In addition, he works with various teams of principal consultants, senior consultants, and consultants to manage and oversee the delivery of Synopsys services to clients in the Mid-Atlantic region. Brendan has led several projects with a number of Fortune 50 companies to implement and mature their Security Champions initiatives. He has been a CSSLP since 2013.

More from Security news and research