Security Champions Guide
8.2.2 Security Champions Guide
The OWASP Security Champions Guide is a guidebook that helps organizations build a security champions program that can succeed over the long term.
It is a relatively new OWASP Incubator project and is available as a web document.
Overview
Security Champions are an important part of an organization’s security posture; they provide development teams with subject matter experts in application security and can be the first point of contact for information security teams. It is widely recognized that a program needs to be in place to actively support the security champions, otherwise there is a risk of disillusionment or even burn-out; to counter this risk a Security Champions Program will help identify and nurture security champions.
The Security Champions Guide provides two resources that explain what a security champion program is and how it can be put into practice:
- The Security Champions Manifesto sets out a philosophy for a good security champions program
- The Security Champions Guide explains each point in the manifesto and illustrates it with practical advice
The Security Champions Guide is not proscriptive, an individual organization should select freely from the suggestions to create its own program - and perhaps revisit the guide as its security champions program matures over time.
The Security Champions Manifesto
The manifesto defines ten key principles for a successful security champions program:
- Be passionate about security
- Start with a clear vision for your program
- Secure management support
- Nominate a dedicated captain
- Trust your champions
- Create a community
- Promote knowledge sharing
- Reward responsibility
- Invest in your champions
- Anticipate personnel changes
This manifesto is a set of guiding principles that will certainly help with the creating the program and can also improve an existing security champions program.
The Security Champions Guide
If the security champions program is in the process of being put in place then consider each principle/section of the guide in turn and decide if it can be part of the program. Each principle is generally applicable - as every program will be different in practice - so pick and choose the elements the organization can adopt or leverage to create a customized program.
Each principle is split into topics: the What, Why and How. Some sections also contain checklists or templates that can be used to create or improve the program. For example the section on investing in security champions explains what this entails: ‘Invest in the personal growth and development of your Security Champions’. It then goes on to describe why this is important (ensuring the health of the Security Champions community) and then gives suggestions on what this means in practice: webinars, conferences, recognition etc. The other sections are similarly helpful and provide a range of practical advice.
The guide is also useful for an existing security champions program, providing advice on what can be further achieved. It is worth noting that some security champions programs are initially successful but can then fail over time for various reasons, perhaps through change of personnel or budgetary pressure. The suggestions in the Security Champions Guide can be used as a justification for investing in the program further and will help to sustain the existing program.