Security Guild vs Security Champions


When creating horizontal security teams across multiple teams or squads, there are two models that have gained some traction: Security Guilds and Security Champions.

Why

This working session will discuss common terminology and workflows as it is important that industry agrees on and recognises the distinctions between Security Guilds and Security Champions.

What

  • What are the best definitions of Security Guilds and Security Champions?
  • How different are they?
  • Should Security Champions be part of a Security Guild?
  • Should they be merged?
  • Should we agree on one concept and push it has an industry?

Outcomes

Security Champions are a key element of an AppSec team, since they create a cross-functional team focused on Application Security.

What is a Security Champion?

  • Security Champions are active members of a team with a dotted line to the central Security Team
  • Act as the “voice” of security for the given product or team
  • Security Champions provide visilibity to the central security

Comments

  • Security Champions are a model that has been used succesfully
  • A group of Security Champions could be a Security Guild
  • Security Champions network need energy from the central Security Team

Follow up:

  • Request on the model present above
  • Create a survey that maps the current Security Champions structure (in the Summit)

Who

The target audience for this Working Session is:

  • Security Champions
  • CISOs
  • Agile practitioners

Working materials

Here are the current ‘work in progress’ materials for this session (please add as much information as possible before the sessions)

Content

OWASP definition of security champions:

Security Champions are a key element of an AppSec team, since they create a cross-functional team focused on Application Security.

What is a Security Champion?

  • Security Champions are active members of a team with a dotted line to the central Security Team
  • Act as the “voice” of security for the given product or team
  • Security Champions provide visilibity to the central security

Recommendation

  • Security Champions are a model that has been used succesfully
  • A group of Security Champions could be a Security Guild
  • Security Champions network need energy from the central Security Team

What do they do?

  • Assist in the triage of security issues for their team or area
  • Actively participate in the AppSec JIRA and WIKI
  • Collaborate with other security champions
  • Review impact of ‘breaking changes’ made in other projects
  • Attend weekly meetings
  • Are the single point of contact for their assigned team
  • Ensure that security is not a blocker on active development or reviews
  • Assist in making security decisions for their team
  • Low-Moderate security impact
  • Empowered to make decisions
  • Document decisions made in bugs or wiki
  • High-Critical security impact
  • Work with AppSec team on mitigations strategies
  • Help with QA and Testing:
  • Write Tests (from Unit Tests to Integration tests)
  • Help with development of CI (Continuous Integration) environments

What is a Security Guild?

“A guild is a community of members with shared interests. These are a group of people across the organization who want to share knowledge, tools, code, and practices.” Spotify

Related Working Session(s)



Back to list of all Working Sessions and Tracks

Edit this page here