Have you ever felt that your developers and your application security team don’t see eye-to-eye? Do your developers hold feelings of dread at the mention of “the security guys”? This is a common problem with culture in the industry. There has long been a cultural divide between security and application teams. Developers want to deliver functionality quickly. Security teams want to make sure it is stable and secure. Business want to see value as quickly as possible.
However, you don’t have to resign yourself to slogging through the many conflicts this divide can cause. Instead, proactively create security champions in your organization so this divide can be mended. Here are five reasons why you need one.
#1: Security Champions Build a Culture of Security
First of all, the best way to defend your applications in today’s fast-paced world is to build a culture of security. Building a security champions program will help develop that culture. The security champion educates developers and helps them write secure code. Ultimately, you want every developer to understand how security affects the business and the basics of writing secure code. Security should be on the forefront of everyone’s mind, both in your organization’s business and technology divisions alike. A well-run security champions program will be a huge boon to a culture of security.
#2: Scale the Application Security Team
Most organizations will never have enough application security experts to keep tabs on every decision that every application makes that could impact the security of the company. Security champions can help to scale the security team by being the voice of security in all of the development teams. Champions can keep development teams on pace with any required assessments and security activities. They schedule penetration tests and set up security scanning tools. They handle secure code reviews to help prevent new vulnerabilities from creeping into the code base. As a result, champions are the application security team’s extension into the organization.
#3: Teach Developers to Write Secure Code
Security champions should take the lead in developer education. They should define what education and training is needed by the various development teams. It is important that champions do this because they are on the “front lines” of development and understand the day-to-day needs of development teams. Informal brown bag lunch and learns are a great option. Formal training should also be a option based on your budget. Another opportunity for developer education is secure code reviews.
Most of all, you want your developers to understand how to write secure code without having to reach out to the application security team for every bump in the road. The security champion can help out with tough situations, but developers should have a basic understanding of security and the champion can make that happen.
#4: Champions Understand Your Code Base
It is impossible for the application security team to understand every line of code of every application. However, security champions can understand the code they are securing. Security so often requires context. You need to understand what the application is trying to accomplish. Therefore, security champions can understand that context and be much more effective in securing code.
Security champions can perform secure code reviews. Also, scanning tool results can be read and false positives weeded out. The champion’s intimate knowledge of the code will yield more effective results than an application security team that deals with dozens or hundreds of applications.
#5: Opportunities for Your Developers to Grow
Finally, a security champion program gives your developers a great opportunity to grow. There are many developers out there who care about security and want to write secure code. Unfortunately, they may not always have the time and resources to learn it properly. Therefore, a champion program can sponsor their security education.
Try your best to find volunteers that are passionate for security. They will give you the best chance of success in building that security-minded culture. Reward them with opportunities and recognition. Send them to security conferences and make sure their peers know how valued they are. As a result, they will put all of their passion to good use.
The next question is: “Now that I know I need to create application security champions, how do I actually do it?” Knowing is the first step; putting it into practice is what makes a difference.
Consequently, I have created a training program that walks you through creating an application security champion program in 3 months. I have video training plus all sorts of downloadable goodies to help make the process a smooth as possible. I encourage you to check it out.
So take the next step in application security maturity in your organization. Find application security champions, train them well, and let them lead you into the future of application security.