Synopsys point of view
As the Forrester report states, if application security is going to improve, it will require developer participation. For this reason alone, a developer security champions program is vital for any organization looking to prioritize security. In the “Building Security In Maturity Model” (BSIMM) report, we refer to a group of champions as a satellite, but the concept is identical. Members of the satellite are external to the software security group and may include developers, testers, and architects.
Satellite members are sometimes chosen for software portfolio coverage, with one or two champions in each product group. Or they’re chosen to ensure technology stack coverage or geographical reach. Sometimes they’re focused on specific issues such as cloud migration or Internet of Things (IoT) architecture. We’re also beginning to see organizations deploy champions to bootstrap the security functions required for transforming a product team from DevOps to DevSecOps.
The more-successful satellite/security champions programs we see are those in which training is an ongoing focus, both formally and informally. Satellite groups get together regularly to compare notes, learn new technologies, and expand stakeholder understanding of the organization’s software security state. Similarly, and mirroring the community and culture of open source software, an increasing number of motivated developers are sharing digital work products such as sensors, code, scripts, tools, and security features (rather than, say, getting together only to discuss a new policy).
Specifically, these developers are working from the ground up to deliver software security features and awareness through implementation, whether or not guidance is coming from the top down.
Lastly, and to echo the findings provided by Forrester, BSIMM11 found a correlation between an organization’s overall security maturity and its use of a satellite or security champions program. Of the 15 organizations with the highest BSIMM scores, 13 have a satellite. At the other end of the spectrum, the bottom 13 organizations have no satellites at all.