My name is Seb and I’m an application security (AppSec) engineer, part of the Application Security Consultant (ASC) team here at Veracode. My role is to help remediate flaws at scale and at pace, and to help you get the most out of the Veracode toolset. With a background as an engineering lead, I’ve run AppSec initiatives for government and global retailers.
I’ve found that successful AppSec is all about people. To help bring that ‘people’ element to your AppSec program, a Security Champions initiative is an effective way of turning security-interested developers into security evangelists for your organization. Security Champions become a bridge and a multiplier, transferring knowledge to their own team members and working with security teams to find better, faster, more secure ways of creating secure software. Having interfaced with Security Champions many times, there are some key tips for success that I’ve picked up – many of which we’ve implemented at Veracode.
Don’t underestimate program interest
First and foremost, more people will be interested in a Security Champions program than you think. At Veracode, we see a lot of interest and typically have two security champions per team. I’ve always been surprised by the positive response I receive when starting a Security Champions initiative. Cyber is cool; it’s relevant, it has great career opportunities, and it makes a difference. Once you explain the purpose, goals, and rewards involved, you shouldn’t have trouble finding Security Champions in your own organization.
Make it fun, engaging, and rewarding
You’ll also need to work to make it “feel” special. You will have just started an elite club, but you can’t simply book a room and wash your hands. To keep it interesting in the past, I’ve run capture the flag (CTF) games, competitions, brought in external speakers, ran training sessions, and even organized for Security Champions to go to training camps and conferences. Your role as the person initiating the Security Champions program is to become a great facilitator, a marketer, and an evangelist for AppSec. If you bring the party, your Security Champions will stay engaged.
Work like engineers
I also recommend that you organize like a software team. If all your engineers are using SCRUM, an agile framework for development, then run your Security Champions program like a SCRUM team. If they’re all using Azure DevOps, run your Security Champions using Azure DevOps as well. It also helps to have a backlog of potential work and groom the backlog together, run sprints, estimate work, and most importantly, run retrospectives.
Build a team identity to maximize impact
Remember: the same team-building rules apply, and your group of Security Champions are a group of individuals to begin with. If you want the maximum impact through collaboration and open discussion, then you need to invest in building that team and a sense of identity. At Veracode, we have a #security-champions Slack channel where collaboration can occur on Veracode integration projects or to ask questions about secure coding. And it doesn’t just have to be engineers. Anyone can be a Security Champion. Anyone can bang the drum, try to help influence secure practices, and be a fan of AppSec.
Let security help with developer roadblocks
Security team members in a Security Champions group can start to absorb the challenges, tooling, and complexities of what their software teams are going through. AppSec is often a people-challenge and having security team members who understand the pressure developers face to deliver software –trading off between security debt, new features, and continuous improvement –helps to build empathetic relationships.
Don’t forget to share your challenges and welcome the Security Champions into the world of security; knowledge transfer works both ways. Both sides of the aisle may have ideas on how to address challenges in other teams or parts of the business, especially when it comes to automation or better ways of working. As an example, the AppSec dashboards at Veracode were built in collaboration with Security Champions — it’s a great way to inner source code.
Work transparently and inclusively across teams
My most important tip is to work in the open. One of the principles of secure software is open design. A secure solution that relies on a hidden design secret or obfuscation is trouble waiting to happen, and the same can be said for decision making. Running a Security Champions initiative is an opportunity to demonstrate how to work transparently and inclusively across an organization.
Your agendas, minute meetings, and prioritized backlog should be open for all to see, critique, and eventually contribute to. And, you should seek the biggest audience possible for sprint reviews on the Security Champions initiative. Why? Because interacting with Security Champions is a chance for someone else in the organization to have a positive experience with security and become part of the initiative. The more open you are, the more people you reach, the more perceptions can be changed.
The goal is cultural change, not 100% compliance
In organizations where security and developers have strong relationships, influence becomes the driving force rather instead of compliance. With influence, we start to improve the culture and attitude towards security. Only then can we encourage everyone to move more securely because it’s the right thing to do, not just because the compliance team is blocking a release. Security Champions are a critical part of improving security culture and I hope you consider investing in an initiative like this, as we have here at Veracode.
Read the recent Forrester Report: Build a Developer Security Champions Program and browse our handy checklist below to learn more.