How to Scale Your AppSec With Security Champions Program
Enterprises developing software using distributed development teams face major challenges in building a security-by-design culture in their organizations. Overworked security teams need help in scaling their application security program without compromising the speed of innovation of their development teams. Implementing a security champions program can help in empowering development and security teams to work collaboratively without compromising security.
Ideal Profile for Security Champion Role
Left shifting of security in the SDLC has moved developers to the frontlines of security. They need to get invested and take ownership for the security of the code they are building into the product. Pick a resource from the development team who has good communication skills and developer empathy and groom this resource for the Security Champion role.
Security team can impart specialized security training to prepare the resource for the role. This training should address the existing security policies and controls and compliance requirements. The exact number of security champions to be on-boarded can be a function of the number of products or applications in the portfolio, complexity of the products and the distribution of the development teams.
Key Role Responsibilities
Since security is an additional responsibility tagged on to their day jobs, it can be quite challenging for the identified resource. Adequate level of mentoring support from the security team and executive-level sponsorship will go a long way in ensuring role effectiveness.
Key role responsibilities can include:
- Participating in vulnerability scan reviews like SCA, DAS and IAST to triage results, identity false positives and provide actionable feedback to developers close to the time of writing code. Security teams generally run the scans later in the SDLC cycle and furnish a report of their vulnerability scans to the developers without much feedback, which can lead to friction between development and security teams.
- Optimize the DevOps security tool chain with developer friendly workflows and security templates to enhance productivity of the development teams.
- Mentor the development teams on common security errors. As an example, focus on one class of vulnerability, like SQL injection, for a month to build a common baseline knowledge, before moving to another vulnerability class like Cross Site Scripting in the following month.
- Discuss any recurring or high priority security issues with the security team for a resolution
Empower Your Security Champions for Success
A robust on-boarding program for security champions is critical for their success in the new role. Security teams need to ensure that the resources identified for the champions role are provided with specialized security training to enable them to hit the ground running.
Give them a good understanding of the guard rails of the application security program and the technical controls that need to be in place. Involving security champions in evaluation of products for security tool chain automation will ensure that developers have a seat at the table and build trust with the development teams.
Security champions should also be given an opportunity to participate in industry events like Blackhat, OWASP and Defcon conferences to interact with their peers, learn industry best practices and broaden their knowledge of security.
Ensure there are financial incentives in place to motivate the security champions as they are handling security as an additional role in addition to their regular day jobs.
Define Meaningful Metrics for the Program
A metrics orientation is essential to measure the success of the security champions program. An example of a good metric would be reduction in recurring vulnerabilities like SQL Injection or Cross Site Scripting over a period. Internal pen test or vulnerability scan reports can provide insights into these trends. Do short periodic surveys of the development team to track effectiveness of the program. As an example, “Do you know how to report a problem to the security team? etc.”
Tracking team metrics like developer productivity, feature flow and quality of code deployed into production environment are important metrics to track the effectiveness of the security champion program. A combination of these metrics can be rolled up into a dashboard to be presented to the engineering leadership and central security teams to fine tune and enhance the program.
Check out some foundational training for your security champions program here.