If you’ve ever felt the glare of developers unhappy with you for ‘making them’ fix an issue or subjecting them to a lesson in security, you’re familiar with the tension that can arise between the security and development teams. But without the development team on your side, you’ll never get your Application Security program up and running. How can you get your program to work if the team most able to make a difference – the developers – aren’t interested?
You need an AppSec Champion on your side.
An AppSec Champion is someone who can help change developers minds about the perceived burdens of secure coding: more work, slower iterations, less productivity, and more oversight. The Champion is someone that can both help developers with security concepts and help the security team better understand how the development process works – and areas where security processes can be improved or replaced.
If a new tool is spitting out too many false positives, the security team may not be aware until later in the cycle.
Finding an AppSec Champion
The AppSec Champion or Champions in your organization will most likely come from the development team. Champions are those people that truly care about security and have a drive to learn in-depth secure coding practices.
Developers, like anyone, are incentivized by more say in their work, rewards, and the chance to grow more. Use these incentives to mobilize your search for an AppSec Champion.
First, begin by driving home the importance to the company’s stakeholders. Talk to team leaders and the executive board and get support for this, and urge managers to formally recognize the champion’s security responsibilities during their reviews. Only with support from higher up, especially management of the development team, will an AppSec Champion program work.
Without their support, even those developers passionate about security will be hard to convince. If it’s extra work and they’re not getting recognized, what’s the point for them? Be sure to put yourself in their shoes – and don’t be afraid to get creative! If you don’t have budget for gadgets or big trips, think smaller – trips to local security events (during work hours), taking them out to dinner, even announcing their new role in the company newsletter can all be ways of showing your appreciation.
Once you’ve gotten support from above, ask team leaders if they have any leads on if they’ve seen any possible security leaders on their teams. What exactly are you looking for in an AppSec Champion? Each champion will be different, but they should be those individuals who have shown extra interest in the security side of development, or those who team leaders think would be interested but just hasn’t been introduced to security processes. Ideally, Champions should be senior developers who know the development process well and who are looked upon highly by fellow colleagues.
So, if you haven’t determined why exactly you need an AppSec Champion in your organization, here are the top seven reasons why you do.
7 Reasons Why You Need an AppSec Champion:
- To learn more about how the development team works
The role of the security team is not and cannot be one that comes to give orders and watch over the developer’s shoulders with no reciprocal relationship. An AppSec program based on scare tactics or burdensome power will not fly in most any environment. It’s imperative the security team learns how the development team works: What tools are used, what the flow of code is within a project, which milestones are marked in a project and how testing is currently accomplished.
Only with a strong match between the current SDLC and the secure SDLC processes will an application security program be successful, and that can only be done by having a strong sense of the current workflows and tools.
The AppSec Champion can be your trainer in the way the development team works. Invite your champion to coffee or lunch to discuss the development process and ask your questions. This way, even before you launch your AppSec program with the developers, you’ll know more about their processes and where security best lays.
- To help encourage better security practices among the team
Next to better understanding how the development team works, the AppSec Champion also plays a role in helping raise interest and awareness in secure coding and security processes among the developers.
The security team is seen as outsiders in many organizations. Having someone on the development team, actively responsible for helping others write more secure code is one of the best ways of getting developers on board for a strong AppSec program. This is a role most AppSec Champions will appreciate, as well, as it gives them incentive to both learn more and teach others, and, of course, gain recognition for doing so.
- To have a stand-in voice when the security team isn’t present
There will be times when the security team can’t or just isn’t on the scene when the developers are working. The development team may have discussions and meetings where security processes come up, or they may be casual conversations among coworkers.
Having your Champion there for those discussions, hopefully acting as a voice for the security team, can be incredibly helpful. That could mean helping answer questions about a particular security issue, offer the security team’s’ point of view on various topics, and who can quickly get in touch with someone from the security team for assistance on something they’re not able to help with.
Developers may still be wary of asking questions or seeking advice from the security team, and your AppSec Champion can be that person of trust for the developers to turn to when they have security questions. Without that, developers would more likely make a best guess than call up the security team.
- To hear valuable feedback from conversations you’re not a part of
An AppSec Champion is in no way a spy for the security team. And while not spying on their colleagues, a champion can be a valuable asset in gaining feedback from their colleagues that has to do with security processes and tools. Offer your AppSec Champion, if not the whole development team, an open-door policy to bring any issues to light.
Developers can have some of the best ideas when it comes to how security is implemented in the SDLC because they’re so familiar with the processes, but they may not be running to your door to tell you, yet. Having someone on the team that can bring those ideas and issues to your attention is a huge asset.
- To help create a set of organization-wide secure coding standards and guidelines
If you haven’t created a secure coding standard for your organization or there isn’t one in place – it’s high time to implement it. Coding standards help keep each team responsible for their role in the secure release of applications, and are an important part of any AppSec program.
The best way to create secure standards are to have the developers write it along with the security team. That way, the standards are both in the developer’s natural language and include all the secure guidelines you want the organization to put in place.
With an AppSec Champion, you can recruit their assistance in helping initiate think-tanks on what guidelines should be included and how it should be written. These meetings should include members of both teams, giving your Champion the responsibility of choosing colleagues to join the meetings and offer their feedback.
- To help recruit other AppSec Champions
While you probably want to start with just one or two Champions to get the program going, your first ‘recruits’ can help you choose other Champions later on. In an ideal organization, this will be the start of a bigger program to spread secure coding practices amongst developers and security awareness throughout the company. Your first Champions can even help build the program up and take a leadership role in maintaining it.
- To spread more security awareness among the whole organization
The entire goal of having a Champion in the first place is to help increase secure coding among developers and raise awareness of the importance of security, so starting small but aiming big is the best way to get the highest ROI out of this part of your AppSec program.
The whole process of getting management and team leaders on board for your AppSec Champion program is already the first step in achieving this goal, because by doing so you’re already raising awareness among them. A major part of any Application Security program will include a heightened awareness and understanding of security issues in the organization, and your AppSec Champion plays a big part.
What other reasons do you have why organizations need AppSec Champions? Comment below!