Forrester report: ‘Build a Developer Security Champions Program’

Software organizations face two big challenges when trying to secure their applications: understaffed security teams and lack of security acumen in developers. Security champions are an effective way to solve both challenges. By leveraging members of the development team to help other developers address security issues, application security is embedded where it’s needed most.

But a successful program requires more than a few willing developers to act as champions. It requires investment and planning, including executive sponsorship, oversight, training, and rewards. Without such support, the program will likely be short-lived and ineffective.

In this report, Forrester explains the long-term benefits of a security champions program and why it needs to be a formal, funded initiative. The report also provides five steps organizations should take to build a successful program, beginning with making the business case and ending with defining success.

Download the complimentary report

Don’t look at developer security champions as a timeboxed solution that can be phased out in a few years. In the same way that you wouldn’t get rid of security tools or training once security improved, developer security champions are a long-term organizational change that scales the security team, builds awareness, and ensures that development teams maintain strong partnerships with security leaders."




Jamie Boote

Jamie Boote
Senior Security Consultant, Synopsys


Synopsys point of view

As the Forrester report states, if application security is going to improve, it will require developer participation. For this reason alone, a developer security champions program is vital for any organization looking to prioritize security. In the “Building Security In Maturity Model” (BSIMM) report, we refer to a group of champions as a satellite, but the concept is identical. Members of the satellite are external to the software security group and may include developers, testers, and architects.

Satellite members are sometimes chosen for software portfolio coverage, with one or two champions in each product group. Or they’re chosen to ensure technology stack coverage or geographical reach. Sometimes they’re focused on specific issues such as cloud migration or Internet of Things (IoT) architecture. We’re also beginning to see organizations deploy champions to bootstrap the security functions required for transforming a product team from DevOps to DevSecOps.

The more-successful satellite/security champions programs we see are those in which training is an ongoing focus, both formally and informally. Satellite groups get together regularly to compare notes, learn new technologies, and expand stakeholder understanding of the organization’s software security state. Similarly, and mirroring the community and culture of open source software, an increasing number of motivated developers are sharing digital work products such as sensors, code, scripts, tools, and security features (rather than, say, getting together only to discuss a new policy).

Specifically, these developers are working from the ground up to deliver software security features and awareness through implementation, whether or not guidance is coming from the top down.

Lastly, and to echo the findings provided by Forrester, BSIMM11 found a correlation between an organization’s overall security maturity and its use of a satellite or security champions program. Of the 15 organizations with the highest BSIMM scores, 13 have a satellite. At the other end of the spectrum, the bottom 13 organizations have no satellites at all.