How Security Champions Can Build an Alliance With Developers
Introduction
Although the term Security Champion is still relatively new, it has already become a mainstay within security and development circles, with a definition that has begun to evolve. Security Champions are key personnel who are responsible for tracking security issues with application and product development teams as well as security teams.
It is important to note that Security Champions are not usually responsible for implementing these security recommendations but are seen as one of the main drivers of the implementation due to their proximity to the development teams and the security teams. This means that when a difficult call needs to be made that relates to the application’s security posture, it’s on the Security Champion to push for its implementation. This can sometimes set Security Champions at odds with the rest of the development team, especially when major changes must be made to accommodate security concerns.
Fortunately, this doesn’t need to be the case. It is entirely possible for development teams, security teams and security champions to work together to achieve the goal of creating secure applications that don’t compromise on quality, features and release frequency.
Developer Issues
If you have ever worked in a software development environment, then you probably know about the stress and anxiety that developers experience on a daily basis. Developers need to create fully-functional applications in record times, battling product owners and team leads that set seemingly unreachable goals day after day.
Developing commercial applications is difficult even without factoring in additional security features, let alone rewriting entire sections of code to accommodate concerns from the security team. Tidying up code to eliminate a seemingly small security vulnerability can stall the progress on an entire project and delay a product’s release or an update cycle, which makes everybody unhappy.
The seemingly contradictory goals of the security team and the developers can definitely lead to tensions between the two groups, which is where the Security Champion and the project lead need to communicate to create clear goals that both groups can work together to achieve.
Security Team Issues
Ensuring that the entire software product is secure enough to survive the release date is also stressful and anxiety-inducing for the security team. While they make recommendations to the project leaders and team leads, there are no guarantees that the changes will make it into the final version of the product.
Hours of code audits and verification need to take place before launch day, so the security teams need to be on their toes to prepare for public consumption of the product. If not all of the security recommendations were followed as requested then the application runs the risk of exposing its user base to threats and vulnerabilities, which brings with it a swarm of liability issues for the whole company to deal with.
The best time for the security team to get involved is right at the beginning of the project, so that the safety and security of the application is written directly into the code from day one. Even better, developers should be trained to use the latest techniques in their code so that from the first line of code to the final compilation of the application, there is an uninterrupted chain of best practice coding and security throughout.
Where the Security Champion Bridges the Divide
As with most things in life, using a mediator is often the best way to get two groups of people with seemingly competing interests to see eye-to-eye, and in this instance a Security Champion is just such a person.
Sometimes a Security Champion is merely a developer that has been given special security training in the latest vulnerabilities and threats that could affect the product under development. In this instance, the Security Champion would likely spend a lot of time with the security team so that the many layers of complexity that make up the product’s security release are understood by the Security Champion so that they can relay this data back to the dev teams.
This person will then act as the go-between for the two groups, and because they have both development knowledge as well as security training, they can best describe the kinds of modifications and new developments that need to occur from a security framework point of view. How many of these changes get accepted will rely heavily on the product owners and team lead of the project, who will both suffer penalties if the release date is pushed back too far.
If the project is behind schedule, is over-budget or is rushed out to the public, then there are some pretty serious consequences for the teams and company that worked on the project, so there needs to be extensive consultation between all parties during the whole development process.
Anatomy of a Security Champion
We already know that a Security Champion is an important member of the security team, development team or application security team. Where they are located in the organization will depend on the structure of the company that develops the application, as well as their human resource allocation for the project.
We can think of the Security Champion as the main guiding force behind the project’s security decisions, as well as the person that decides when the security team needs to be called into action for an overview. Security Champions are not limited to one per company or project, so there are instances where different development branches of the same product need to alert the rest of the teams that a change that they need to make might seriously affect the entire project. This is where groups of Security Champions need to consult with one another before these changes can be passed on to their respective teams.
Because of their integral involvement in the development process, Security Champions need to attend meetings, communicate with other teams and stakeholders, check that no security issues are holding the project back and assist with low-, moderate- and high-impact security decisions.
Conclusion
As we have seen, the Security Champion role is a serious responsibility that has massive impact on the progression of application development. It is a role that requires knowledge of security and development, as well as people skills with an insane level of attention to detail. It is certainly not a job for the faint of heart, as you will be tested daily on your security knowledge while making tough, unpopular decisions when the product’s security comes into question.
However, the reward for doing a good job is knowing that the product that you helped to release into the world has been designed with security and safety in mind, and that you helped to create an application that can fend for itself out in the wild.
Sources
- Do you have Security Champions in your company?, Robert Hurlbut (LinkedIn)
- A Security Champion in the Developer Midst May Just Solve the Secure Code Conundrum, Veracode
- Security Champions: a Scalable Approach for Securing DevOps, Veracode
- How do Security Champions enable AppSec culture?, Synopsys
- What are Security Champions and what do they do?, Dinis Cruz Blog
- Security Champions Guide to Web Application Security, 1 Raindrop
- Security Champions, OWASP