What Are Security Champions?
Security Champions are developers who have a direct impact on the resiliency and security of their firm's software. They are enthusiastic volunteers willing to participate in advanced software security training to perform an important role. They are also a part of a greater community of Champions exchanging ideas and techniques.
Since Security Champions come from within the development organization, they have the right relationships to better assist developers, testers, and architects in accomplishing their goals. Security Champions can usually communicate more effectively with software teams than the centralized software security group (SSG) can.
How Do You Design a Successful Security Champions Program?
Consider these two important parameters when designing a Security Champions program:
- Breadth versus depth of duties. Should Security Champions serve primarily as developers with a focus on security? Should they concentrate on performing all the secure development activities on behalf of their teams? Or should they be responsible for security activities across multiple teams as embedded security personnel?
- Time commitment. It's important to consider how much time Security Champions will need in order to perform the duties outlined above. Should they be part-time or full-time?
These parameters are major factors in the design of your organization's Security Champions program. You might have Champions who work primarily as developers but also play a larger role ensuring their applications are secure. Or your Champions might spend all their time performing security reviews, providing remediation assistance, and training developers across a portfolio of applications.
Among our customers, we have observed three primary types of programs: training-focused programs, activity-focused programs, and hybrid programs.
To determine the best approach for your organization, start by clearly defining your Security Champions program goals. Do you need to scale a comprehensive set of security activities across the organization to keep pace with Agile teams using dedicated staff? Or would you rather focus on training developers to be more security minded when they write code?
In a training-focused program, developers undergo advanced training through eLearning and/or instructor-led courses. Once the initial training is complete, they resume their development responsibilities. They should also have backing from a Security Champions community to whom they can reach out for support. After initial training, Champions should also attend periodic technical talks and events to stay current on industry trends and new risks.
Merits of the training-focused approach:
- Requires minimal time commitment after initial training.
- Contributes a resource to development teams who can drive the adoption of security requirements, policies, and tools.
- Imposes a low cost on the organization.
- Provides a source of feedback to help improve the SSG's impact.
At the other end of the spectrum are activity-centric programs. This approach builds on the same training but extends its reach to encompass all secure development activities for a collection of teams. In this approach, Champions are assigned a portfolio of applications - usually related to teams with whom they've worked previously. They're expected to perform various security activities throughout an application's development cycle.
Security Champions undergo specific training to build new skills needed to perform activities at different stages of the SDLC. In this capacity, Security Champions oversee adherence to the organization's secure SDLC.
Merits of the activity-focused approach:
- Provides a way to scale security activities throughout the organization's development teams.
- Nurtures the organic growth and development of new security experts.
- Assigns dedicated security experts to applications.
While activity-focused programs provide a great deal of value, they're more complicated to establish. They involve careful attention and maintenance. And they require a greater time commitment, which can also seem costly - though if they are created and managed effectively, the benefits will greatly outweigh the costs.
Funding full-time Security Champions isn't realistic for most organizations. Instead, many have put together successful hybrid approaches that find a middle ground between training-focused and activity-focused programs. In hybrid programs, part-time Security Champions are responsible for providing remediation guidance and performing a smaller set of security activities while maintaining their responsibilities as developers. Thus, the SSG can still provide value while managing costs.