The Book
Membership
Explore MembershipGlobal Expansion Program
AppSecConS3M2Journey to AppSec Maturity
Events
Upcoming Events
RSAC 2024
JTAM OWASP Global AppSec conferenceJTAM AWS ReInvent conference
Past Events
Mumbai ChapterAtlanta ChapterBengaluru ChapterNew Delhi ChapterNYC Chapter LaunchCyber SoireeWomen In SecurityDavos DialogueFirst LookSBOM
Cyber Future Dialogue 2024
JTAM Virtual Workshop - September
JTAM Roundtable - OWASP Global AppSec
Resources
PodcastsBlogsState of AppSec 2023
Contact Us
The Book
Membership
Explore Membership
Global Expansion Program
AppSecCon
S3M2
Journey to AppSec Maturity
Events
Resources
Contact Us

How to Improve Your AppSec With Security Champions

By 
Nitin Raina
,
and
August 9, 2022

Fostering a culture of security is the key to a successful, company-wide implementation of AppSec. But this requires a lot of support and is one of the biggest challenges an organization faces. 

Instilling the idea of security, bringing in the necessary changes, and cementing them for the long-term requires you to take a multi-pronged approach towards communicating the importance of security to different teams. Some of them include: 

  • Impress upon everyone that security belongs to each one of them. From new talent to the CIO, everyone is a crucial piece in the security jigsaw puzzle.
  • Improve AppSec awareness with basic security lessons and equip people with the ability to distinguish the depth of threats. 
  • Ensure you have a secure development lifecycle (SDL). Having an SDL program gives you a strong foundation for a sustainable security culture.
  • Lastly, and perhaps the most importantly, you need security champions to help make things happen.

What is a security champion and what do they do?

OWASP defines security champions as people who “help to bridge the communication between the development teams and the security team. A security champion will know the pain points of their teammates' code bases, team culture, tooling limitations, they are then in a good position to present security in a way that directly connects with the team.”

Security champions are responsible for evangelizing, mentoring, and promoting the cause for security in the organization. They are the critical thinkers who break down the silos between security and delivery teams and help constantly improve and enforce a good security posture.

How do you do this efficiently? 

With a security champions program.

How do you build a security champions program?

“A good security champion program improves the integrity and reach of your security culture, and by localizing the security representation throughout the business, your reach into the organization will become that much deeper,” says Joanna Huisman, former research director at Gartner.

A security champions program is crucial to guiding developers at the right time, in the right way. It’s also a low cost method to increase awareness on security.

The best way to begin is to leverage security champions embedded within the development, IT, and delivery teams to quickly scale the impact. They can act as go-to experts who can provide guidance, training, and answer questions in conjunction with security professionals to align with business objectives and consistently improve the application security posture.

Having a security champion program has many other benefits: 

  • They can perform code reviews to detect bugs and threats early in the development cycle especially when the code is being developed
  • They can partner with a security expert to teach best practices, which will be more effective than quick fixes
  • They simplify and make security an accessible segment for development teams 
  • Security champions are crucial to get top management buy-in and to strengthen the relationships across teams

As the program gains more visibility, you will need to constantly review KPIs, track metrics, and create standards for user behavior. The key is to start small, work towards prioritized goals, identify and resolve the highest risk areas, and gradually build a solid foundation. To reach your eventual goal of a company-wide rollout, it will take time, need senior leadership sponsorship and effort from a good network of security champions. 

Security culture and security maturity are the cornerstones of robust AppSec and security champions are pivotal to magnifying the impact of AppSec in the organization.

Nitin Raina
Vice President - Cyber and Information Security Thoughtworks
Uniting security leaders and practitioners on a mission to democratize software security and solve its ever-evolving challenges with the power of Community.
The Book
Membership
Podcasts
Blogs
Events
Past Events
AppSecCon New York Reception
AppSecCon Austin Reception
AppSecCon  Santa Clara Reception
Mumbai Chapter
Atlanta Chapter
Bengaluru Chapter
Davos Dialogue
Resources
Contact Us
Copyright © Powered By ArmorCode Inc.
Privacy Policy
|
Terms & Conditions
The information contained in the Purple Book of Software Security and associated marketing material contains content expressed by Purple Book Community members. These opinions are their own, are not affiliated with the organizations that they belong to and have no commercial affiliation or any endorsement of any commercial products or services, including the community sponsors.