June 14, 20230 mins read
The Secure Developer (TSD) podcast, hosted by Snyk founder, Guy Podjarny, is about security for developers, covering topics from tools to best practices. It features interviews with experts in DevSecOps and promotes discussions of current events and trends in secure development.
Lately, it seems everyone is talking about building a security culture, identifying security champions, and the future of security teams and champions.
Security champion programs empower individuals within an organization to take ownership of security by acting as ambassadors and advocates for security best practices across the dev org.
However, you must build a security culture before implementing a successful champions program.
Building a security culture.
Identifying and defining who your security champions are.
The future of security teams and champions.
1. Building a security culture
"That cultural relationship between security and the rest of the company and…engineering and security…as the enabler and a positive force will keep growing. That, I'm excited for."
- Dev Akhwae, Episode 88
Building a culture of security means creating a shared set of values, beliefs, and practices that prioritize security as an integral part of software development and deployment.
Dev Akhawe, head of security at Figma, explains on episode 88 that Figma's relatively small organization has a culture where the security team strives to earn trust across the org and therefore works openly. Akhawe and Figma find value in exposing teams to different parts of the organization and using that cross-department exposure to develop better relationships. This has resulted in greater cohesion between their security team and developers.
Similarly, in episode 34, Siren Hofvander of Cybercom notes, "where security teams fail is that they try and apply more security onto a development team that probably is overburdened as it is."
Hofvander explains that security teams often overlook that development teams are already doing security, even if it goes unnoticed. Hofvander wants security teams to recognize developers are under significant pressure to deliver on time and within budget. Additional security requirements can add a considerable burden that may slow development, increase costs, and reduce overall productivity.
As Guy points out in this episode, it "all boils down to being the developer's champion."
Instead of adding more security measures, security teams should work closely with development teams to understand their workflow and processes, identify potential security risks, and integrate security measures into the development process without disrupting it.
Like Akhwae and Hofvander, we at Snyk believe that building a security culture relies on building open, positive relationships between security and engineering teams because we know that organizations with a positive security culture build resilient products while reducing their security debt.
Experts agree that once you have a security culture, developing a security champions program effectively promotes your security culture across the organization.
2. Identifying and defining who your security champions are
"We look at it as a partnership of sorts…we really don’t want security to be a roadblock…It’s more of a partnership where we work with engineering and…come to collaborative decisions…the Security Champions program helps us do that on a large scale."
- Yashvier Kosaraju, episode 66
A security champions program bridges the gap between security and development teams.
Both teams strive to deliver secure applications at the speed of business demands. However, security practices were traditionally added into the SDLC as an afterthought, resulting in security gates, developer rework, frustration, and slower overall product delivery.
Security champions are the perfect way to fill this need. Security champions are developers curious about security who act as the interface between two traditionally siloed teams.
Here’s the thing, everyone agrees that a security champions program promotes a strong security culture — the problem is everyone structures, identifies, and defines who/what a champion is differently.
For example, in episode 79, Brendan Dibbell (application security engineer at Toast) shares that “when we say a security champion for us, it’s a person who is actually responsible for taking over some of the day-to-day security work.”
Yet, Yashvier Kosaraju (episode 66 ) defines security champions as “an engineer on every engineering team is their dedicated security champion, and then there’s one security engineer who is their dedicated security partner. This security partner and champion meet regularly and then talk through what the engineering team is doing, what the security team is doing, what reviews they need, what help security can provide, do things securely, and ensure that they’re building robust and secure solutions.”
Geoff Kershner, (chief security officer at Medallia), on episode 74, defined champions like this: “engineering and development teams are aligned around our products. We have dozens of products on our platform…if there is a team around reporting, a team around APIs, a team around mobile, a team around all those different things, each one of those will have a security champion or a champion who can work with and develop through this program.”
Our takeaway is that the idea of a security champions program is widely accepted as a way to promote a strong security culture in organizations. However, there is no uniform definition of what a security champion is or what their responsibilities should be. It will rely heavily on how your org is structured.
Each expert agrees that a security champion is not a full-time security specialist; instead, it is a dev on the team who is curious, wants to develop a strong understanding of security principles, and is willing to take the lead in championing security initiatives within their team or organization.
The bottom line, however you define or structure your security champions program, it will be critical in supporting and enhancing the culture of security within the org and embedding security into the software development process.
3. The future of security teams and champions
“...I hope at least; there will be less need for dedicated security engineers…Developers and teams are going to be much more able to do their own threat modeling and security testing and be able to easily interpret those results and carry out those security processes to create merge requests for security updates and carry a lot of those activities themselves."
- Nick Vinson, episode 84
Guy likes to ask his guests to “think ahead five years out…what do you think would be most different about that future person’s job, compared to what you’re doing today?”
In other words, what does the future look like for security teams and their champions?
For Vinson, the goal is for developers to become more proficient in security practices, resulting in less need for dedicated security engineers. The increased ability to handle security tasks will allow developers and teams to easily incorporate security updates into their work and reduce the need for dedicated personnel.
Similarly, for Kosaraju, the future of security and champions is up-skilling your devs. Kosaraju says that Twilio has an advanced champions program within its security champions program that includes challenges with varying levels of difficulty (red, blue, and purple categories). It is designed to increase security knowledge and skill. As participants complete challenges, they earn perks and more responsibilities within the program—the program aims to empower individuals to make informed security decisions based on their increased knowledge and skill.
Developing a champions program will help your product, your organization, and will simultaneously further develop the skills repertoire of your engineers; it is truly a win-win.
Recap: the BIG ideas
All five of the episodes in this recap emphasize three big ideas about security today and the future of security and security champions:
Developing a culture of security across your dev org is paramount to all. Doing this effectively will require greater team collaboration across different parts of your organization.
Security champions are the devs on your team that are curious, passionate, and willing to lead. Providing them with opportunities to level up their skills benefits the developer, the code, and the business’s bottom line.
The future of AppSec lies with developers and developer security.
Learn more about building a Security champions program.