Creating and running an application security program within your organization requires a culture change in both the security team and developer team. In fact, it really requires a business-wide examination of security and developer culture. But bringing together disparate mindsets and skills can be difficult. How can security spread its message and get buy-in for secure development throughout the organization? Enter the security champion, or satellite.
A security champion or satellite is a nonsecurity employee, often from the developer group, that can help drive application security by engaging with the security team and evangelizing security’s message throughout the company. They also help make decisions about when to engage the security team. The idea is that a strong program of security champions can increase effectiveness and efficiency between other teams and security, which leads to enhanced application security.
“It’s really about how to navigate security and bring that information to the table,” explained Brendan Sheairs, a managing consultant and expert on security champion projects with Synopsys. “A champion helps bridge both worlds.”
“In every situation, starting a champions program is going to require developer leadership,” said Sheairs.
“You are going to need a lot of time from development and you will want them to focus on security, while also paying them to do their full-time job. That’s a tough conversation to have sometimes.”
But if done well, security champions can help security scale throughout the business. How do you create a successful security champions program within your organization? We spoke to two BSIMM community members who have established champions programs, and these are their recommendations.
At Rally Health, Sam Freund, senior director of development, said its champions program was launched about five years ago and has evolved over time.
“We initially created it because we had just one full-time person plus me in application security,” explained Freund. “That just wasn’t enough when you have large team of people and need to review everything. We needed to spread the influence of application security without hiring a bunch of people. So we created a security advocates program.”
Initially, people volunteered for the program, and they would spend just 5 percent of their time working on application security initiatives. But it simply wasn’t enough.
“We rapidly found out it was not enough if you include improving their knowledge and helping people on their team,” said Freund.
Rally decided to reduce the number of advocates and increase the time spent for the people still in the program. Eventually, the program began using an interview process to recruit in order to better vet participants and ensure champions were excited about being part of the effort.
“We invited people to apply that don’t necessarily have a security background but are engineers and have a desire to learn about security. That was a good lesson learned. We saw an uptake in participation after that.”
Keep champions engaged
As Rally learned, there needs to be a set number of hours each week that champions dedicate to security-related tasks such as meetings, collaboration with security, and assisting with QA and testing. But beyond these tasks, it’s also important that champions feel like they are learning and engaging.
At Rally, monthly meetings help keep champions interested in attaining new knowledge.
“At least once a month we have an agenda and have a special guest come in and talk about DevOps; influencers in the industry like Chris Robert, for example,” said DJ Schleen, an application security manager at Rally. “This also attracts the engineers. It’s almost like a conference talk. We talk attacks and exploits. It lets engineers know security is important and they start to feel like a hacker.”
Muthu Balaraman, director of enterprise application security assurance at Depository Trust & Clearing Corporation (DTCC) says a monthly lunch and learn also keeps his Security Mavens (their security champions program) on track.
“We started a lunch and learn to get things going, and people enjoy coming in and finding out more about security,” he said.
At DTCC, they looked to the OWASP Top 10 web application security risks for a large part of the program’s curriculum when it started 15 years ago. They have also worked with vendors that helped them develop their champions program curriculum.
Get management buy-in
Because of the amount of time champions need to spend working outside their primary role, management buy-in on the program is essential. Don’t launch an unfunded, experimental program. Instead, push at the outset for budget and visibility, which gives your program credibility and will help you grow it over time.
“In the end we need budget,” said Balaraman. “I made that clear to management. Even though security is important, it is also important to prioritize and reduce the risk exposure. I was able to explain why the program would also satisfy business needs. They started to see the value-add.”
Keep checking in
Rally’s Freund and Schleen stress the importance of keeping champions up to date and engaged in the mission of the program.
“We have an app sec quiz that we hand to people at random,” said Freund. “It’s a low-pressure quiz. But we want to make sure people are passing.”
At Rally, there is a direct tie to compensation.
“At the VP of engineering level, they all get a security scorecard. Everyone's results are shared with their peers and our CTO every month. It's expected that everyone holds a B average, and failure to perform on the scorecard would impact the overall performance of that VP.”