Application security is difficult: it requires developers and, especially, development team managers to adjust and make security a priority alongside other, more traditional development priorities such as features and timelines. Additionally, developers don’t typically have secure design and coding expertise by default and this can cause some security knowledge challenges that must be overcome.

Unfortunately, application security is even harder to scale than development, and there are way more developers writing code than there are people trying to secure it. For more information on the issue, check out the Building Security In Maturity Model – or BSIMM – as a general source, or BSIMM reference about software security groups in organizations in particular.

Piling on top of this already apparent issue, development practices have evolved quickly from waterfall to agile to DevOps. Development is happening faster and at a greater volume than ever, and there is no indication that this is going to slow down in a world being eaten by software.

To help address these issues, organizations have started establishing security champion programs, embedding individuals with security expertise into development teams and using them to extend the reach of the central software security group making security expertise more accessible to developers.

These programs are an attempt to promote the value of security expertise and capabilities outside of the central software security group, pushing security to the “edges,” and into the various development teams spread throughout an organization.

When thinking about how to start a security champion program, consider the following suggestions: