How Security Champions Help Improve Application Security

Application security is a major concern for many organizations.  In 2020, over 23,000 new vulnerabilities were discovered and publicly reported in production applications.  On average, a codebase contains 158 vulnerabilities.

Reducing these vulnerability rates is essential to corporate cybersecurity and protecting the organization’s reputation.  Implementing a security champion program to support application security can help.

What is a Security Champion?

For many organizations, security expertise is centralized within the security operations center (SOC).  The primary goal of the SOC is to protect the organization against attack, which includes finding and fixing vulnerabilities in an organization’s production applications.

The problem with this approach to application security is that it makes it difficult for companies to shift security left.  Without security knowledge and expertise in the development team, it is difficult to build it into the early stages of the software development lifecycle.  As a result, security continues to be left until the end, and production vulnerabilities keep happening.

A security champions program is designed to embed security expertise throughout the entire organization.  This includes soliciting volunteers from each team to become advocates for good security practices with their peers.

By scattering security expertise throughout the organization, a company is better equipped to find and fix potential security issues early in their lifecycles before they become a major problem.  Additionally, the company has a greater pool of security knowledge and experience to draw on in the event of a major incident.

Why Security Champions are Necessary for AppSec

In many organizations, the IT or security team is wholly responsible for security in the organization, including application security.  However, the number of vulnerabilities in production applications demonstrates that this approach isn’t working.

A security champions program can help to address this issue by tackling many of the major roadblocks that organizations face with regard to application security, including:

• Security is often an afterthought. Security is important to most development teams, but it often falls below an on-time release in the list of priorities.  Security champions can help to ensure that necessary security testing is performed and issues are fixed before code reaches production.

• Developers trust their peers. An organization’s IT and security team can do outreach, but most people prefer to ask their peers for help when they’re stuck.  A security champion on the development team can help to advocate for and guide developers to the right solution to a problem instead of a security workaround.

• IT has other priorities. Often, an organization's SOC is responsible for securing their applications, which can include security testing for code in development.  However, this is just one of many responsibilities, meaning that application security doesn’t always receive the time and attention that it deserves.  Having security expertise on the development team helps to ensure that security is not overlooked in the rush to release.

Supporting Your Security Champions

Standing up an effective security champions program is more than just naming someone on each team as the designated security champion.  To actually make a difference in an organization’s application security, security champions need to be supported by the organization, which means that companies need to do the following:

• Give them the training they need. To effectively advocate for security, security champions need to understand security.  If a developer is interested in becoming a security champion, provide them with the training that they need to feel comfortable in the role and get the respect of their peers.
• Equip them with the right tools. A security champions program is designed to encourage developers to do things “the right way.”  To be successful, this means that security should be frictionless and painless to perform.  Make sure that security champions have tools and processes in place that they can point to when making their recommendations.
• Define easily measurable goals. A security champions program, like any other program, needs to be justified up the chain of command.  Defining easily measurable metrics to gauge the success of the program can help demonstrate its value to the organization.

Security champions are the ambassadors of security, and are looked upon as subject matter experts among developers. They help promote application security among their peers, and draw upon their knowledge, technical acumen, and their leadership skills to accomplish this goal. By equipping them with knowledge and skills through both leadership and secure coding training, organizations are investing in the improvement of their application security.