When it comes to having a successful application security program within your organization, you need more than just the right tools. One of the biggest challenges is the culture change you need to make security top of mind for everyone, not just the security teams. One effective way to address this challenge is to create security champions within your organization who can act as the voice of security in any given product or team.
What exactly is a security champion? According to the Open Web Application Security Project (OWASP), they are active members of non-security teams that may help to make decisions about when to engage the security team.
The goal of security champions is to increase effectiveness and efficiency of your application security program while strengthening the relationships between other teams and security. In so doing, security champions enable security to scale throughout the organization and help to build the culture you need to have a successful app sec: When non-security people talk about security and understand its importance throughout the entire software development lifecycle, it stays top of mind for them, and everyone around them.
Beyond just being a voice, champions should have a set number of hours per week to devote to security-related tasks such as collaborating with other champions, attending weekly meetings, assisting in making security decisions for their team, and helping with QA and testing. Champions should also be involved in all risk assessments, threat assessments, and architectural reviews to help identify opportunities to remediate security defects.
The big question is how to create security champions within your organization. Here are six steps to build your A-team of app sec.
1. Identify your team
Back in 2017, in preparation for a presentation for the OWASP Bucharest AppSec Conference, members of OWASP created the Security Champions Playbook, which described the steps you must take to quickly establish a security champion program, regardless of company size or the maturity of your existing security processes.
The first step is to identify teams. Research your organization's structure, identify teams for each product in the portfolio, know the key personnel with whom you must engage, and find out which technologies and languages each team uses.
2. Define the mission
Once you've finished the research homework step, it’s time to define the role of a security champion. To do this you need to come up with tangible goals and a clear description of what it means to be a champion.
3. Nominate your security champions
This is one of the most difficult, but important, steps of the process. Here are a few things you can do to make this step as successful and smooth as possible. First, since the idea is to nominate the champions for your program, clearly articulate the benefits of being a champion. You can’t expect people to agree to participate and add work to their plate without getting something out of it. The top benefit you should push is this: By working with security in mind, security champions will come to look at things differently.
This is similar to the DevOps idea of breaking down silos between teams so that they can better understand how their work affects the work of others, instead of just blindly throwing stuff over the fence to the next in line. Being a champion also helps to build and establish the security culture, with the result being improved quality of products. With approval from management, you could also have your champions attend some security conferences. And there is always the benefit of self-development, since being a security champion can increase a person's value within the organization and improve career opportunities.
4. Set up your communications channel
Once the champions have been nominated, the next step is to set up communication channels for their use. These channels can be based on whatever technologies your organization currently uses or approves to use, such as private Slack, Skype, or Stride channels or even a mailing list.
5. Build a solid knowledge base
An internal knowledge base will be the primary source of information related to security. The knowledge base can give access to things such as the organization's global security strategy, descriptions of common risks and vulnerabilities, secure coding best practices, and more.
6. Keep champions' heads in the game
The gains from the previous steps would all be wasted if you didn’t maintain your champions' interest. One way OWASP recommends for doing this is to regularly conduct workshops and training sessions for your champions where you can promote security best practices and further explain the strategies you have in place, your maturity road maps, or even recent news from the security world.
Another great idea is to send out regular newsletters. And for a more casual, laid-back, and social form of engagement, consider getting as many of your security champions as possible to join the local OWASP meetings. These meetings are a fun way to learn, network, and hear some incredible security speakers.
Get with the program
You can find more detail on each of the six steps involved in building a security champion program in the OWASP Security Champions Playbook.
The OWASP online community produces freely available articles, methodologies, documentation, tools, and technologies in the field of application security. Because it's one of the most trusted organizations in the security community, you can confidently follow its roadmap, steps, and guidance to build your own security champion program.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.