Security Champion: you need to think about it
Security Champion and the battlefield
There is an eternal battle inside your company: two of the most important areas are having conflicts for a very long time and it is necessary to end this.
In companies that produce softwares it is common to have a dispute between two areas – Development & Security – To the development area, security teams are like a funnel for the development process, squeezed by numerous functionality demands and new products, that must be launched faster each time.
On the other side we got Security teams clashing a battle to their own colleagues, looking forward to introduce more security to the delivered products. This battle is not always easy, because from the commercial department point of view, it is stronger than just a code validation: the demand of a more innovative and agile market.
Although, some changes have occured. New legislations, normatives and regulations are demanding a more enhanced vision from companies about the security of products delivered to the market. Moreover, the users are starting to understand more about how companies are protecting their data as well as on how to protect them, that is why it is important that developers and security teams act consciously.
As specialists in AppSec, we feel the need to create a bridge between both areas in dispute and we believe that the Security Champion can help pave the way.
What are security champions?
According to an article by Gartner, by 2021 about 35% of companies will be committed to build Security Champion Programs.
However, it has been noted an increase in interest on this subject, we still realize that most companies do not have a perception of how much the creation of Security Champions team can positively impact their structures.
On this subject we still have some conflicting points, even among those who defend it. For Gartner, the figure of a Security Champion is not limited to development teams, for them the Security Champion is an intersectoral figure of the company, and works with the goal of spreading the culture of security at the most different levels.
“Security champions are members of the business, IT or delivery team who receive additional training on pertinent security issues. They act as local gurus who can answer questions, recommend training, and interface with security experts to find answers to deeper questions or escalate issues. These champions are an extension of the security awareness program and may not get into the technical aspects of security issues. They focus on driving the messaging, training and awareness initiatives at a local level.”
On OWASP vision, the Security Champion will be members of the teams that aim to connect security teams with other teams, helping on the understanding of security issues and on the decision making process.
“According to OWASP definition, Security Champions are “active members of a team that may help to make decisions about when to engage the Security Team”. They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team.”“According to OWASP definition, Security Champions are “active members of a team that may help to make decisions about when to engage the Security Team”. They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team.”
The Security Champion inside an AppSec vision
Our understanding is that Security Champions have a more specific function, focusing on companies final product, that produce software internally or for third parties. We understand that in the AppSec world Security Champions are active members of development teams, who have received specific training to introduce themselves to a focal point of security inside a team.
We have this vision because we believe that when a member of the development team becomes a Security Champion, and can establish better communication with colleagues, change the culture of development from the inside out since they use equal language of members involved on the software production.
This way, the development team can comprehend in a better way the given information once that it is received by one of the peers.
What does a security champion do?
This depends on the point of view of who creates the Security Champions program. As we have shown, there are different understandings about the role of these security facilitators within companies.
For the Application Security world, when we talk about the responsibilities of a Security Champion we envision a technical profile working directly with the development team, someone who encodes and transmits their code security knowledge to their colleagues.
This profile works well on most development teams, since changes and shared thoughts start from one of the group members, thus becoming closer to the reality of the team on a daily basis.
Among the main responsibilities of the Security Champions is the cultural change of the developers, who must take a more careful look at the coding work, applying the best practices of safe development and seeking more and more to think about safety at the beginning of the creation of their products.
A Security Champion, in general, is a cultural transformer for development teams, as well as a link between development and security areas, as it can comfortably maintain an understanding of the two worlds, softening conflicts and disputes.
What does our experience say?
After all these years of watching and helping companies improve their development process by working directly on code evaluation and building Continuous Application Security frameworks, we understand the importance of Security Champions. Through the experience gained from creating these professionals we can see that there is a cultural change within the development teams, and that there are also significant gains in security for the systems and applications created.
For businesses, their presence may bring more balance between two areas that, while right in their view, traditionally experience a lot of conflict. Security Champion emerges as a way to facilitate dialogue in order to achieve a central point of understanding.
In our next article we’ll talk more about Security Champions and how we can set up a training program. We believe that by helping to form new Security Champions we contribute to evangelize the market about Application Security and its benefits to the overall security of the software produced by these teams.