Security Champions and Their Role

A security champions program consists of security champions, who are typically contributing developers on the engineering team with domain-specific knowledge. These champions are responsible for coordinating, tracking, and reporting security issues within their teams and are empowered to make decisions without being held solely accountable for security problems. They work closely with the security and AppSec teams on mitigation strategies, help with QA and testing, and even assist in developing CI (Continuous Integration) environments.

A good security champion is generally a developer with a keen interest in security. It’s most effective when there is one security champion per development team or group of teams. This approach creates clarity around who to contact for security help, even though some programs allow multiple developers per team to join, which can reduce bottlenecks but make communication less straightforward.

Volunteer champions

Ideally, a developer should become a security champion voluntarily, rather than have the role forced upon them. Many companies that want coverage across all their development teams will mandate that every team should have representation in the program, but it’s down to the team and developers to decide between them who should join.

You might want to suggest the types of developers you feel would fit well in the program based on the activities and authority they will need. In our discussions, some organizations required a senior developer, while others encouraged developers of any experience to be a part of the program. By relying solely on volunteers will more likely provide you with a program with people who genuinely want to be a part of the group, however, this may come at the expense of a lack of coverage across your organization.  

Security representation

The security team also participates as coaches or mentors. A security coach often works with multiple champions, corresponding to their area of responsibility within the organization. These coaches support champions and foster key relationships to ensure the program runs smoothly.

A longstanding challenge is fostering understanding between developers and security teams. Embedding security resources within development teams and having developers work with security teams can build empathy and streamline processes. Cross-functional collaboration helps each team understand the others’ challenges and provides fresh perspectives that benefit everyone.

Training and Professional Development

Enabling security champions through good training is a cornerstone of success. Developers should learn about security from an attacker’s perspective through practical hacking exercises, threat modeling, secure coding, vulnerability concepts, and prioritization. While traditional training methods like computer-based and instructor-led courses are valuable, consider engaging methods like gamification and security challenges to boost participation. Conferences, internal certification programs, and industry certifications also play a role.

Security training shouldn’t be limited to champions or the security team; it should extend to the whole organization to build a security-aware culture. Security awareness programs, lunch-and-learn sessions, mock incident response exercises, and internal security summits can reinforce formal training.

Program Management

How often champions meet varies, but a monthly cadence for calls is common. Before COVID, in-person meetups every six months or annually were popular for both rewarding participation and sharing knowledge. Meetings should be structured and have a thought-out plan to ensure they are productive.

A lack of program management is a common pitfall. In larger organizations, this may require a dedicated manager; in smaller organizations, someone must still own logistics, accountability, and regular meetings. This role involves organizing membership, responsibilities, and rewards.

Clearly defined activities

A key aspect of a successful program is clearly defined roles, responsibilities, and activities. Security champions don’t necessarily do the security work themselves but ensure that the team adheres to security practices and procedures. Their duties may include threat modeling, writing tests (from unit tests to integration tests), aligning monitoring and logging with code issues, and staying updated on security threats and defenses, often utilizing resources like the OWASP Top 10.

Keeping things simple is crucial. Begin with just one or two explicit activities for champions and expand as the program matures. Documentation is essential, outlining what champions and their teams need to accomplish.

Rewards and recognition

Everyone is different when it comes to what they see as good rewards or recognition for being in a security champions program. Some may not want any, and really just want to level up their knowledge or have an interest in being a part of a champion group (knowledge is the best reward). Others see security as a potential career path and this is a good way of taking a small step into that world. The majority look to other perks, such as physical meetups, as discussed earlier, or tickets to security conferences like DefCon or Black Hat. Internal recognition such as mentions by your VP, which is seen by management teams, or an internal company conference can also act as a good advert for the program. Finally, t-shirts or hoodies are sometimes all people want to feel that belonging or association with the group. Check the pulse of your team to determine the best way to show your appreciation for their involvement.

Measurable goals

The most common education programs were a mix of internal and external training and sharings that also fed into a belt system. You may want to have KPIs/expectations that you have a certain number of people working in critical areas of application development in particular belts. For example if you have a business critical service that interacts heavily with sensitive data, you might want to ensure you have a brown/black as a champion in that team. Similarly, for those areas with very low risk, you would have less concern if you didn’t have more in depth levels of security training among those champions and teams. Belts are awarded based on certifications, completing training, hours of security work, advocating and sharing team projects and success and more.

Reinforcing Success

Adoption can be encouraged through positive reinforcement and gamification. Simple rewards, recognition, and a structured methodology tailored to the organization’s goals can make a big difference. Understanding the cultural fit and what drives the team will help create a successful and engaging program.