9 Things Application Security Champions Need to Succeed
Common elements to highly effective security champion programs that take DevSecOps to the next level.
January 29, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt32dc29d9c22232a2/64f0d3d88727732724925fc9/01-champion.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Application security leaders are increasingly developing formal security champion programs that help their companies better embed security expertise and accountability across development and DevOps teams. Security champions are developers, architects, and engineers who take the lead within their teams and projects on security objectives.
"A security champion is fundamentally an enabler and promoter of application security best practices," says Shawn Asmus, director of threat management for Optiv. "They help promote the adoption of tools and standards, as well as consult with developers regarding testing results and proposed remediations."
Security champions pursue advanced training and are an extra resource for their peers to answer security-related questions. They work with the security team to set realistic requirements for their peers, to more effectively choose and integrate security tools that mesh with development workflows, and to ensure that dev teams are making good on their security promises.
We recently surveyed some experts to get perspective on what security champions need to succeed in their roles. Here's what they had to say.
"Without a secure development life cycle from which champions work, they don't know what they are supposed to deliver. Adopting a clear set of activities and expectations for the delivery of 'secure' software - and clearly defining what 'secure' means in the context of the software to be delivered - must be done in parallel with any champion program. Otherwise, what are these empowered people actually delivering? What are their responsibilities? To what are they being held accountable?" -- Brook Schoenfield, master security architect at IOActive, and creator of four security champion programs at different organizations
"Defining a list of responsibilities and expectations helps organizations maintain alignment with the objectives of the security champion program. Don't forget about appropriate separation of duties. For example, the security champion may not be the role entitled to make fix/no-fix decisions." -- Shawn Asmus, director of threat management at Optiv
"Maybe your goal is to get your application inventory under control. Or maybe it's to eliminate all critical vulnerabilities in 2020. I recommend setting up some simple metrics that can get all your champions aligned." -- Jeff Williams, CTO of Contrast Security
"The security team should provide each security champion with training, guidance, and tools to be successful and meet the previously mentioned goals. Teach the security champions how you perform security reviews, how your organization ranks risk, and how they can leverage existing security tools." -- Christopher Emerson, founder and CEO of White Oak Security, involved in setting up champions programs at Target and Best Buy
"One of the keys to success for LinkedIn's Security Champions program is the mentorship component. Champions are assigned a 'buddy' from LinkedIn's information security team based on their interests, the project they work on, and their area of expertise. Having this kind of specialized support is especially valuable for customizing the program, since the goal for champions is that they become security resources on their own teams." -- Jim Hamilton, senior manager in the Information Security Program Office at LinkedIn, and a leader in the company's Security Champions program
"Participants in our Security Champions program dedicate about 25% of their time to the program, which is important for allowing them to fully learn and practice security techniques. Since this time is taken from their typical workload, it's critical to have buy-in from a champion's manager at the outset." -- Jim Hamilton, senior manager in the Information Security Program Office at LinkedIn, and a leader in the company's Security Champions program
"Security champion roles can be crafted such that they have any number of responsibilities. They can help teams configure and run SAST, DAST, IAST, and SCA tools. They can help triage the results that come from those tools and clear false-positives. They can participate in threat modeling. They can do collaborative security code reviews. They can provide examples of manual penetration testing. They can mentor developers and provide more formal training classes. But only a tremendously senior individual is going to be able to do all those things.
"So when you're setting expectations on what you will accomplish with your security champions program, be sure to understand the skills of the champions you have available and do some quick math on the scale of the development program they are going to be supporting." -- Dan Cornell, CTO of Denim Group
"Every program that I've led has fully empowered and supported the satellite members of the team. This is a lot of work and requires a lot of leadership, especially modeling behavior, building a community, servant leadership, and also a little bit of political acumen -- like, don't leave your champions hanging when their own management is resisting their advice.
"At that point, a central, empowered, strong team has to pick up escalations in order to protect champions from conflict with the people who are also responsible for their bonuses and promotions. Hard lesson, that one." -- Brook Schoenfield, master security architect at IOActive, and creator of four security champion programs at different organizations
"There is no shortage of opportunities for trained security engineers, so if you want to keep these talented, security-minded developers, it helps to provide security champions with a path for career progression with goals and milestones. You will also have to plan for a training budget as well.
"We worked with a large bank to craft a matrix of the skills they wanted their security champions to build over time and the level of knowledge they were expected to have at each level of advancement. This provided their security champion candidates with a solid understanding of how they could expect their career to progress over time and gave them specific goals for professional development." -- Dan Cornell, CTO of Denim Group
"There is no shortage of opportunities for trained security engineers, so if you want to keep these talented, security-minded developers, it helps to provide security champions with a path for career progression with goals and milestones. You will also have to plan for a training budget as well.
"We worked with a large bank to craft a matrix of the skills they wanted their security champions to build over time and the level of knowledge they were expected to have at each level of advancement. This provided their security champion candidates with a solid understanding of how they could expect their career to progress over time and gave them specific goals for professional development." -- Dan Cornell, CTO of Denim Group
Application security leaders are increasingly developing formal security champion programs that help their companies better embed security expertise and accountability across development and DevOps teams. Security champions are developers, architects, and engineers who take the lead within their teams and projects on security objectives.
"A security champion is fundamentally an enabler and promoter of application security best practices," says Shawn Asmus, director of threat management for Optiv. "They help promote the adoption of tools and standards, as well as consult with developers regarding testing results and proposed remediations."
Security champions pursue advanced training and are an extra resource for their peers to answer security-related questions. They work with the security team to set realistic requirements for their peers, to more effectively choose and integrate security tools that mesh with development workflows, and to ensure that dev teams are making good on their security promises.
We recently surveyed some experts to get perspective on what security champions need to succeed in their roles. Here's what they had to say.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024