OWASP Developer Guide

Security Champions

Developer guide logo

8.2 Security Champions

A ‘Security Champion’ is a member of a software development team who is the liaison between Information Security and developers. This helps to embed security into the development organization.

Security Champions and the necessary supporting program are described in the SAMM Organization and Culture section, which in turn is part of the SAMM Education & Guidance security practice within the Governance business function.

Depending on the development team the Security Champion may be a software developer, tester, product manager or any role within the team; what matters most is an enthusiasm for software security and a willingness to learn. Security Champions can assist with researching, verifying, and prioritizing security and compliance related software defects within the application/product.

Security Champions will usually be involved in risk/threat assessments and architectural reviews and can often help identify opportunities to remediate security defects; making the architecture of the application more resilient and reducing the attack threat surface. Security Champions also participate in periodic briefings to increase awareness and expertise in different security disciplines.

The two goals of the Security Champion program are to increase effectiveness of application security and compliance and to strengthen the relationship between development teams and Information Security teams. The program should supply Security Champions with additional training to help develop their role as a software security subject matter expert. If possible the Security Champion should be provided with time for Information Security related activities, and this may well have to be negotiated with the development management hierarchy.

Importantly it should be recognized that Security Champions are often taking on an extra role in addition to their existing one, and it is important that support is provided by the program for their well-being.

Sections:

8.2.1 Security champions program
8.2.2 Security Champions Guide
8.2.3 Security Champions Playbook


The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.