In today’s software development culture, there is an ever-increasing need for management to drive empowerment within their teams. You need to seek out, identify, and empower someone who can act as your team’s security champion. Find at least one champion to start, and add more if they are available. As you grow, you may even consider assembling a Security Champions team.
Security champions should have some security background or knowledge of cyber security, as well as being willing, able, and motivated to learn much more. Your champion can be a current team member or a qualified contractor/consultant. A thorough knowledge of the team’s goals is necessary. A security champion needs to be a positive person that can offer diligent observations and constructive suggestions to the team.
Within their role, they should be interested in staying up-to-date about evolving developments in the field and be willing to contribute to security tool set, process, or security libraries. They could provide DAST/SAST tooling support, perform secure code reviews in their area of expertise, or participate in proof of concepts of beta testing of new security tools, among other tasks. A more experienced security champion will be able to perform proof of concepts exploits and security review applications. More experienced champions will also likely have a security certification such as an OSCP or SANS.
Regardless of the level of experience that they hold, your security champion will promote the best practices in application security. They will work with your systems architecture and engineering teams, and with DevOps and DevSecOps project leaders. To find your first champion, you may choose someone who has excelled in their Application Security Training courses, as an example. Their knowledge of security threats and remediation methods will be of great assistance in preventing and eliminating security problems earlier in the software development lifecycle.
Your security champion(s) will act as the reminder to be conscious about security in team meetings and design sessions. Within this role, there are specific benefits derived from having security top-of-mind everyday.
How much risk are you willing to take on? Do you know what it means for you to receive a critical, high, medium, or low vulnerability? Once you receive your report results, what is your likely plan of attack?
A security champion can be the person to help answer questions ahead of the test. They will hold knowledge on what typical SLA guidelines are, and know which would be most relevant for your organization. Then, when a report comes in, an immediate response plan can be implemented. This is especially important in case the report were to return any critical vulnerabilities.
Regulatory guidelines are changing all the time, and it’s almost a job in itself to keep up with the latest requirements. In most cases, developers don’t already have a baseline knowledge on what it means to have compliant applications either as the topic is not yet included in most software engineering programs.
Engaging a security champion to familiarize themselves with the important technical and compliance guidelines within your industry can significantly streamline your efforts. Your dedicated person (or team) can understand relevant regulatory requirements and translate those needs into local-level knowledge that applies specifically to your SDL requirements. As they’re involved in this process, security champions can possibly even identify cybersecurity issues when they are still small and easy to patch over.
Rather than deploying your code and crossing your fingers, your security champion can proactively identify key focus areas for compliance alignment. Prioritizing your focus areas and preparing for requirements (such as security testing) in advance ensures you can provide the necessary time and budget. It also eliminates the possibility of duplicate work since you will have developed an already compliant application vs. one that has to be modified later.
As we discussed above, compliance requirements are growing quickly. At the same time, vendor security questionnaires are becoming much more frequent.
Are you spending a significant amount of time answering these questionnaires? Are you unsure of how to phrase an answer or finding it difficult to centralize your appsec information?
A security champion will be well-versed in the best practices to address security concerns. They can support with answering the security questionnaire, and can also be there to support your conversations with the vendor.
Does your team already have a specific go-to location for security issues? Where do they go when they have a question about secure coding? Or what if they need to report a breach?
In cloud infrastructure companies as an example, 31% of application developers either don’t understand infrastructure risk, or they don’t know what to do to mitigate it.
A security champion would be able to gather information and insights on security issues into a collective internal security knowledge base. This database would become the learning and reference tools for anyone else on the team who wants to learn about security. It would also ease training for new security champions in the future.
Having a central point of contact for security issues streamlines the workflow. Practicing this approach in the day-to-day operations prepares your team to act efficiently in the case of a security crisis. After all, wouldn’t you hope to secure a breach sooner?
Enabling a security champion or a team of champions is an ideal way to ensure security needs are met at every stage of the software development lifecycle. Dedicated professionals are able to dive deeper into their specialization and produce better information and insights compared to a team who is only semi-involved in the topic. Periodic sync-ups between the security champions and the rest of the team can be an efficient way to flow new information regarding industry best practices, new compliance guidelines and security policy updates. With a solid security c champion (team), you will set your organization on the path towards more efficient secure application development processes.
Interested to learn more ways to improve your application security posture? Download our comprehensive guide, showing modern CTOs how, when and why they should integrate security processes at each stage of a business' growth.