Published on
The goal of the AppSec community is to foster a collaborative environment among developers through coaching and mentoring.
At Security Journey, our programmatic learning approach includes advanced levels where learners complete activities within their organization and take on mentorship opportunities.
This article will review four activities for security champions to complete within their organization.
Progressive Learning Explained
Progressive Learning is an educational philosophy emphasizing the importance of learners working through content at their own pace and developing their abilities.
With Security Journey's AppSec Education Platform, you can choose from our programmed themes (Levels, Climbs, or Belts) or create your own theme for progressive learning.
Read More: Benefits of Progressive Learning
What is a Security Champion?
As your learner progresses through their training program, they will approach levels 4 and 5 and start participating in security activities; these are your organization's Security Champions.
A Security Champion is a member of the development team that is a proponent of security-minded development practices. They are not part of the security team but receive a badge of honor for taking on additional responsibilities to support the security team.
This person works as a liaison between both teams and will have an in-depth understanding of their priorities. This is the most effective way for the development team to ensure they support the security team's priorities.
4 Examples of Security Champion Activities
Here is a list of recommended security tasks a security champion can do to obtain their Level 4/ Professional completion:
Advocate For Security
Advocate for security within the organization by promoting the importance of security and encouraging other developers to prioritize security in their work.
An activity that could accomplish this is conducting security-oriented peer reviews.
Resources:
- [Article] Adopting Long-Lasting AppSec Habits
- [Podcast] The Security Champions Podcast
Conduct Security Awareness Campaigns
Conduct security awareness campaigns to educate employees on the importance of security and how to avoid common security threats, such as phishing attacks or social engineering.
An activity to accomplish this could be hosting lunch and learns for your organizations.
Resource:
Create a Threat Model
Conduct a threat model of an application or system to identify vulnerabilities and potential risks, then produce a list of possible mitigations.
The goal of threat modeling is to understand the risks before developing a system and help educate other developers on avoiding similar vulnerabilities in the future because there is no one-size-fits-all methodology for defining all threats.
Resources:
- [Article] What is Threat Modeling? (Practical Guide + Threat Modeling Template)
- [Download] Threat Modeling Manifesto
Implement Security Scanning Tools
Implement security scanning tools, such as static code analysis or dynamic application security testing (DAST) tools, to identify vulnerabilities in applications and systems. The security champion can help set up and refine security scanning tools to minimize false positives and catch real vulnerabilities.
Resource:
- [Article] SAST vs. DAST vs. IAST
Are You Active About Your AppSec?
At Security Journey, we know rolling out a training program can be daunting. Our AppSec Education Platform is entirely customizable for your needs or comes out of the box with nearly 700 lessons to create a multi-year, programmatic level-based approach.
Our level-based approach gives all learners the foundation of understanding to apply security concepts to their daily work. Three advanced learning paths offer developers in-depth security knowledge and the skills to build a solid security culture.
You can contact our team for a personalized demo or try our training for free today.