- Application security professionals are outnumbered and often viewed as outsiders by software engineering and DevOps teams.
- Developers working as security champions within their own teams can help scale application security work and improve security culture.
- Training and motivating security champions across the entire organization takes a systematic program and great internal marketing.
- Security pros looking for a place to start can learn from existing frameworks and guides that explain how to build an effective security champions program.
As security testing and secure coding responsibilities continue to be democratized across software engineering and DevOps teams, security champions programs have become a key tool to bolster the knowledge and initiative of developers in their quest to bake security into their daily work.
Most in the application security (AppSec) and DevOps world agree that the typical ratio of AppSec experts to developers is something like 1 to 100 in most organizations, and the number often skews by orders of magnitude to the developer side. So the best way for AppSec pros to get the most value out of their time is to enlist members of the developer cadre as allies in establishing a security culture. This is where security champions come in.
What does a security champion do?
Security champions are most often developers who are interested in better securing their software and willing to put in some extra work to learn what it takes, though anyone with an appreciation for security can participate. Ideally, developers and other volunteers are rewarded with accolades and other incentives for taking this initiative.
Developers who step into the security champion role aren’t just deputized to be the eyes and ears of the security team among DevOps and software engineering teams. The idea is for them to be trusted security advocates embedded within software development teams. They work side-by-side with their peers, mentor their teammates on security-by-design principles, answer timely security-related questions, and point their colleagues to resources to help them brush up on security knowledge and secure coding practices.
Not only does this scale up the efforts of overwhelmed AppSec teams – it’s also far more effective than having AppSec professionals nag developers to address security issues and hope they (begrudgingly) comply. Developers are likely to cast a bit of side-eyed suspicion on their outsider colleagues from AppSec, but security champions have the implicit trust of being part of their tribe.
Establish a security culture
Security champions are perfect change agents for instilling a more deeply-rooted security culture within an organization. According to one study, 84% of software engineers and AppSec pros believe that security champions have the power to improve security and the relationships between security and DevOps teams.
As they advance through their security training, security champions can also become a valuable pipeline of employees available for internal recruitment to the AppSec team. This can help solve cybersecurity skills gap issues and enrich the AppSec team with security experts who automatically have the software engineering street cred required for the trust and respect of the developers they support – a big win for bolstering security culture.
But closing the security culture chasm between AppSec and developers to move from distrust to a cooperative environment full of security champions doesn’t come naturally. While the participation of developers as security champions should be fully voluntary and somewhat organic, enticing them to get involved requires planning and programmatic thinking.
Build a security champions program with intention
The best security champions programs create a systematic framework for training developers in key security concepts across a well-planned learning path. But training is only a part of a strong champions program. Ideally, it should also provide a mix of incentives for doing the training and meeting metrics that show developers are making good security choices in their daily coding practices.
For example, successful security champions programs tend to gamify training and security milestones with points systems and leaderboards. Often, points are tied to visible ranking systems and status levels, much like martial arts belt colors, to foster friendly rivalries. Effective programs also host events and establish a formalized mentorship infrastructure to keep the pipeline for security champions growing. The most successful security champions programs are fun, engaging, and consistently communicated.
Resources to get started
Building a fruitful security champions program from scratch can seem intimidating at first, but luckily there’s a growing body of knowledge and documentation on how to get started. The following are four resources that companies can lean on as they design their own security champions programs. These include a mix of guides, playbooks, frameworks, and other resources to help determine what works and what doesn’t when designing a solid security champions program.
- Software Security Takes a Champion: The Software Security Takes a Champion guide offers a great entry-level document for security leaders dipping their toes into the security champions waters. It was written by a coalition of AppSec and development experts from SAFECode, a nonprofit industry group focused on helping organizations build up their broader software security programs. The guide also provides security leaders with effective tips on how to convince their executive stakeholders to invest in a security champions program. There’s clearly written insight about the champions’ role and duties, the nuts and bolts of what a program requires, and first steps to get started.
- Security Champion Program Success Guide: Written by Dustin Lehr, a software engineer turned AppSec professional, the Security Champion Program Success Guide is based on Lehr’s personal experience building security champions programs for companies including Staples and Fivetran. The guide includes detailed advice on designing program structure, rewards for participants, goals, and how to roll out the program with communication and metrics.
- OWASP Security Champions Playbook: The OWASP Security Champions Playbook has been kicking around for a couple of years now and is led by Alexander Antukh, a longtime chief information security officer and product security expert. The playbook details six key steps to follow when building a champions program: identify teams, define roles, nominate champions, set up communication channels, build a solid knowledge base, and maintain interest.
- Security Champion Framework: Based on the real-world learnings of Chris Romeo, who created the Cisco Security Ninja Program during his decade at Cisco, the Security Champion Framework positions itself as a roadmap generator for designing an effective program. The framework is loaded with information and systematic metrics for key areas, including security training and education of champions, recruitment and retention, rewards systems, communication, and branding.
The bottom line
Security champions programs are crucial for scaling up AppSec efforts and fostering a strong security culture. By embedding security-focused developers within teams, companies can bridge the gap between AppSec and development, improving collaboration and trust. With systematic training, incentives, and gamification, these programs engage developers, amplify the impact of security efforts, and enhance a company’s overall security posture.