OWASP Developer Guide

Security Champions Program

Home > Draft > culture building and process maturing > security champions > program

8.2.1 Security champions program

A Security Champion program is a commonly used way of helping development teams successfully run a development lifecycle that is secure, and this is achieved by selecting members of teams to become Security Champions. The role of Security Champion is described by the OWASP Software Assurance Maturity Model (SAMM) Organization and Culture activities within the Governance business function of the Education & Guidance practice.

Overview

The problem with development and security teams is their imbalance in numbers. There are usually less members in the application security teams and thus a good way to scale and distribute security across the development teams is through a security champion role. The Security Culture project describes how this can be implemented.

Security champion role

The Security Champion is an individual of each development team who shows special interest in application security. They have knowledge and experience in both the aspects and hence can ensure that the development lifecycle has security built into it.

The general role for a security champion is to oversee threats and ensure secure coding practices are being followed by their dev teams.

The Security Culture project provides a few more suggestions for what the role of a security champion should look like. A few of these points are:

  • Evangelize security: They voice for the best security practices in their team
  • Contribute to standards: Provide inputs for the organization’s security standards
  • Engagement with security: Promote competitions such as Capture the Flag to instill security aspects into their teams.

Security champions program

The Security Champions program itself is to ensure that the right individuals are selected for the role and to help them by providing support and training while also ensuring that they do not suffer from burn outs. It is therefore important to select passionate individuals for this role.

For a successful program there are a few things an organization needs to keep in mind:

  • Passion towards security - identify the members of the teams that show interest in security
  • Trust your champions - they are usually highly motivated when it comes to the security of their own applications
  • Create a community - it can be lonely, so provide a support network to these individuals
  • Have a clear vision - be pragmatic but ambitious, make it work, then make it work well

The OWASP Security Champions Guide identifies more principles that are important in this aspect and will be a good read for an organization that plans to go through this with this undertaking.

References

The OWASP Developer Guide is a community effort; if there is something that needs changing then submit an issue or edit on GitHub.

\newpage

Watch Star