Application security is difficult: it requires developers and, especially, development team managers to adjust and make security a priority alongside other, more traditional development priorities such as features and timelines. Additionally, developers don’t typically have secure design and coding expertise by default and this can cause some security knowledge challenges that must be overcome.
Unfortunately, application security is even harder to scale than development, and there are way more developers writing code than there are people trying to secure it. For more information on the issue, check out the Building Security In Maturity Model – or BSIMM – as a general source, or BSIMM reference about software security groups in organizations in particular.
Piling on top of this already apparent issue, development practices have evolved quickly from waterfall to agile to DevOps. Development is happening faster and at a greater volume than ever, and there is no indication that this is going to slow down in a world being eaten by software.
To help address these issues, organizations have started establishing security champion programs, embedding individuals with security expertise into development teams and using them to extend the reach of the central software security group making security expertise more accessible to developers.
These programs are an attempt to promote the value of security expertise and capabilities outside of the central software security group, pushing security to the “edges,” and into the various development teams spread throughout an organization.
When thinking about how to start a security champion program, consider the following suggestions:
- Choose Your Champions Wisely – Security champions are going to be the local representatives of your application security program and need to be able to act the part. They need to be developers and have at least a moderate level of experience. This gives them the credibility required to call development team members out on bad behaviors and to hold their own in technical debates. Asking for help often isn’t easy, so security champions need to be approachable. We have had success identifying security champions when they go through instructor-led training courses by keeping an eye out for the students who really take an interest in the subject matter and keep themselves ahead of the class.
- Make It a True Career Path – Security champion programs are a new addition to most organizations, so they often don’t start with the formal trappings of other established career paths. There is no shortage of opportunities for trained security engineers, so if you want to keep these talented security-minded developers it helps to provide a path for career progression containing both goals and milestones. You will also have to plan for a training budget as well. We worked with a large bank to craft a matrix of the skills they wanted their security champions to build over time and the level of knowledge they were expected to have at each level of advancement. This provided their security champion candidates with a solid understanding of how they could expect their career to progress over time and gave them specific goals for professional development.
- Make Sure the Champions Are Easily Accessible to Developers – Take full advantage of whatever tools the development teams are using. These days that can include tools such as Slack, JIRA, Jenkins, and so on. At Denim Group, there is a Slack channel solely dedicated to application security where everyone can ask questions and share resources. If your security champions aren’t using the same collaboration tools as the developers, then developers aren’t going to collaborate with them.
- Reality-Check Your Expectations – Too often we have seen a security champion job description treated like a Christmas tree at a kids’ holiday pageant – everyone wants to hang an ornament on it. Security champion roles can be crafted so that they have any number of responsibilities. They can help teams configure and run SAST, DAST, IAST, and SCA tools, triage the results that come from those tools and clear false positives, participate in threat modeling, collaborative security code reviews, provide examples of manual penetration testing, mentor developers and provide more formal training classes, and so on. Only an experienced senior individual is going to be able to do all those things, and they’re not going to be able to do all of that for large numbers of developers, teams, and applications. So – when you’re setting expectations on what you will accomplish with your security champions program, be mindful of the skills your champions possess, and do some quick math on the scale of the development program they are going to be supporting.
Application security can be a challenge to scale, but security champion programs are an excellent way for some organizations to extend the reach of their software security group while fostering more productive relationships between security teams and development teams if approached in a structured and well-planned manner.