Security Champions

Back to list of all Outcomes

Original Working Session content: Security Champions


Outcomes

Summary of results from the survey respondants:

  • 20 respondents
  • Roles: AppSec lead/head (4), Architect (3), QA (1), Consultant (4), InfoSec management (3), CISO (2), Blank - Devs? (3)

1: What are the typical activities performed by Security Champions?

  • Knowledge sharing
  • Security updates / insight
  • Security training / coordinating awareness amongst peers
  • SAST / DAST tool support / Input into Policies
  • Application context / guidance for scoping
  • Threat Modeling
  • Risk reporting / empowerment
  • DevOps security support / SSDLC
  • Architecture (new projects), GRC (mature systems)
  • Evangelises for security within host team
  • Runs / organises CTF’s
  • Resources, guidance & standards input
  • Mentoring / providing energy & focus into security actives
  • Ad-hoc consultancy

2: Who fills the role of Security Champion?

  • Devs (but not lead/principal)
  • QA / Testers
  • Architects & Designers
  • DevOps
  • Operations
  • Anyone interested (PM, Product, but not from Central Security team)

3: What is the Security Champion’s mandate to control security within the team?

  • Energise
  • Scale the AppSec team
  • Advocacy
  • Support / facilitation
  • Discovery / Triage flaws
  • Escalate
  • Share insight
  • Code reviews
  • Threat Modelling
  • Write security stories & tests
  • Prioritise & test security bug fixes
  • Awareness / Encouragement / Educate
  • Point of Contact between Central Security Team & Host team
  • Agent for security culture change

4: Are Security Champions expected to share knowledge or conduct mini-trainings?

  • Yes: 18
  • No: 1
  • Optional: 1

5: Are Security Champions expected to build Threat Models and keep them up-to-date?

  • Yes: 13
  • No: 5
  • Teams, not individuals: 2

6: Are Security Champions expected to conduct internal security reviews for new features?

  • Yes: 9
  • No: 7
  • Sometimes: 4

7: Are Security Champions expected to help decision-making for product design / development?

  • Yes: 18
  • No: 2

8: Are Security Champions expected to monitor best practices followed & report non-compliance?

  • Yes: 15
  • No: 4
  • Monitor but not report: 1

9: Are Security Champions expected to participate / lead R&D work (e.g. testing new solutions / concepts, policies)?

  • Yes: 8
  • No: 7
  • Depends/Sometimes: 3
  • N/A: 2

10: Are Security Champions expected to be the main point of contact for Bug Bounty?

  • Yes: 8
  • No: 8
  • N/A: 4

11: What other activities are expected of Security Champions?

  • Scaling Central Security Team
  • Local advice on security matters - Dev’s + Application-specific knowledge - InfoSec
  • Cross-team knowledge sharing
  • Help define meaningful policies
  • Training & Assist in security reviews
  • Define best practices across teams
  • Network with peers / attend conferences
  • Prioritisation of security relevant stories in Backlog
  • Keep up-to-date with vulnerabilities in tools or third party libraries / frameworks
  • Feedback loop to Architecture, GRC, Infrastructure, Test teams
  • Participation in proposals / improvements
  • Write security tests for identified risks
  • Evaluate new tools & processes
  • Link between Central Security & Technology teams

Q-12: Organisation chart between security function and where Security Champions sit:

  • Majority: Security Champions in engineering teams, not under Central Security team
  • Some: Dotted line report to Central Security team
  • Minority: Security champions report to central security team not engineering manager
  • Query: Difference between Security Champions network vs. Security Guild vs. Security Chapter?

Summary of discussion:

Security Champions - role definition:

  • Scales AppSec team
  • Member of non-security team: Dev, Ops, Architecture, Legal, Finance, Marketing
  • Security advocate within other (host) team
  • Link to central security team / escalation route - (vice-versa) - application specific advice
  • Aspire to change: culture / career progression
  • Pro-active / enthusiastic about security
  • Visibility / eyes & ears on the ground
  • Organise team: active members of team actively drive outcomes e.g., Threat Models
  • Selection of security champion: self-appointed (better) rather than nominated
  • Network forums: meet regularly / conferences, CTFs, peer networks (both internal & external)

Asks from Security Champion to Central Security team:

  • More training / CTFs
  • More resources / tools / solutions e.g., Common Secrets Mechanism
  • Enthusiasm <—> advocacy
  • Share ideas with peers
  • Empowerment / gain management support / respect / visibility
  • Being heard / input to Product for Security features -> rewarding / gives ownership
  • Proof of Concepts / Demos / Brown-Bag sessions
  • Credit & Accreditation - from HR
  • Own & update Threat Models
  • Report & own risks & issues
  • Prioritisation of security stories & writes security tests


Back to list of all Outcomes

Edit this page here