To really understand why security champions are needed, it’s important to recognise a fundamental truth of most engineering teams — security isn’t a top priority for developers. This isn’t a knock on developers; most organisations simply haven’t built a culture that places much importance on securing their software.
Security isn’t about checking off items on a vulnerability checklist. It’s a conscious, ongoing effort to observe the behaviour of your application, understand how users interact with it, and create strategies to deal with unwanted outcomes.
A security champion plays a key role in enabling all of these activities. A well-functioning champions program is one of the best signs of a mature AppSec posture because it means the developers have the skills to build software that’s secure by default.
The biggest incentive to build security champions is to level the playing field between engineering and security. For context, the ratio of developers to security professionals is roughly 135 to 1. To say that there’s a shortage of security talent out there is a tragic understatement.
But having a security champion (or champions) on your team confers several tangible benefits on your development process:
A security champion needs to have the time to take security training and implement new practices in their role as developer. This means taking time away from their primary role — otherwise, the champion will burn out from too much extra work.
Your organisation will also need to provide resources for you to conduct security training, plan events like CTFs and hackathons, and even build an internal security champion ‘brand’ (more on that later).Without a formal thumbs-up from management, champions will be doing all this work as extra in their own time, and won’t be compensated for it. Not a good situation if you want your champion program to last more than 2 months.
Most security training and knowledge we encounter comes from an offensive perspective: how can we find vulnerabilities? How does a hacker compromise the system? How do we break the application?
But focusing purely on the ‘Attack’ point of view ignores the entire other half of the equation: defensive security.
Once you find out where the vulnerabilities come from, your developers need to know how to fix these vulnerabilities. There are 3 lines of defence in defensive security:
Combining all 3 of these skills is essential for your team of security champions, especially at a high level. Not every champion will get training in all of these skills, of course, but it’s important to ensure your teams have a balanced distribution of defensive and offensive security skills to tackle any challenge that comes their way.
When you start your brand-new champions program, you’re very likely not going to get a lot of enthusiastic responses from the team. You’ll need to find and persuade the right people for the job, and that may take some work. Here are 3 important things you need to do:
Build a brand around your security champions. Design a logo or mascot to represent the program and distribute swag to all your champions. It could be t-shirts featuring your new mascot, or a coffee mug with a cheesy tagline, or even colourful stickers.
The idea behind building a brand is to give the champions program a sense of identity within the company (since champions may come from different teams). The program’s successes and achievement can be attributed to the brand, and it serves as a reward mechanism for your champions.
Rather than asking your new recruits to volunteer for some unspecified period of time, ask them to opt-in for a full year. This means that once they’re in, they have to complete the full year of being security champion.
This stops a non-serious applicant dropping out of the program after a few months, and they get to experience one full year of training and security activities. After the first year, they’re automatically ‘out’ of the program, and have to opt back in if they want to continue as champion.
The problem with training your team is that you can’t just make them follow any old training program and expect results. There are a few roadblocks you need to cross in order to achieve a learning cycle that sticks, and yields positive results over time. That means answering these 3 questions:
The simple fact is that most company training programs suck. They tend to take the form of boring lectures where learners stare at Powerpoints and take notes for 3 hours. There’s very little engagement or interaction going on, and learners don’t actually absorb or retain 50-60% of what they’re taught.
Contrast that with hands-on training: learners need to solve problems using practical lab exercises. This makes learning much more fun, mentally engaging, and has been shown to increase information retention by as much as 75%. In a field like application security, hands-on experience is vital to gain real-world skills.
You can have your champions take all the training programs you want, but how can you be totally sure they’re actually learning something? With evaluations, of course!
Evaluations can take many forms, but they essentially boil down to the same thing: providing solid proof that the champions have learned crucial security skills. There are 2 main ways you can conduct an evaluation:
Training is just one aspect of your interactions with security champions. But you’re not always trying to get them to learn new skills — that just leads to monotony and boredom. It’s important to nurture your champions’ passion for security in other ways, and keep the momentum of the program. Here are some ideas to get your champions more engaged and motivated.
Rewards are a fun way to thank your security champions for volunteering to be part of the program and doing a good job. Depending on how flexible upper management is on this, you can prepare all kinds of exciting rewards for when your champions advance in their training levels, achieve the KPIs and milestones, and have shown exceptional performance over time.