This post was written by Chris Romeo during his tenure at Security Journey.
Every application security and SecOps organization needs to connect people under the banner of security. The security of any organization is only as strong as its people, and people thrive in a community. So how do you build one?
Developing a security community is about more than following a process or using a tool. It is about gathering together security-minded individuals in your organization so that they can share knowledge and experiences. A thriving security community can serve to teach, mentor, and energize new members on the benefits of having a security mindset.
Members of security communities go by different names, but whether you call them security champions, advocates, or guild members, all are passionate about security and enjoy sharing their experiences with others.
The activities below reflect the best practices that successful app sec and SecOps teams have used to connect and grow their security communities. The list starts with activities you can do that are relatively easy and least time-consuming. As you move down the list, the activities become more involved and require more resources.
A monthly training event is the bread and butter for any security community. This event forms the connection point for the members of the group to gather and learn something new from their peers. You can hold these events in person or through a web conference, depending on the geographic distribution of your membership.
Session content should include a mix of security updates for your organization and cutting-edge training. When running such events in the past, I consulted my network and invited well-known external security researchers and consultants to present on a topic. The easy way to lock in more external speakers is to use web conferencing for your meetings so that they don't have to travel to your site to participate. I’ve had speakers share drafts of talks they planned to use at upcoming conferences, so our community received a sneak peak of content that had not yet made it into the public eye.
To ensure success, keep your meetings low-key and lighthearted. I started my monthly events with a security trivia contest. We created questions based on a security-related topic and then asked people to type their answers into a private chat window. We ran the trivia sessions for the first five minutes of the meeting, giving latecomers a chance to connect before the actual meeting began. Over time, people began joining the meeting five minutes early to ensure that they were ready to play trivia. I awarded $50 Amazon gift certificates to the winners.
The hardest part of planning this type of event is finding your guest speakers. Try to schedule speakers three to four months out to ensure that you have a full backlog. This helps you plan but also gives you a list of people whom you can ask to come earlier if you have a speaker cancel.
A vulnerability decomposition discussion is similar in nature to the monthly training and connection event, but the focus is to break down the details about a specific type of vulnerability. I recommend scheduling this discussion once per month. Alternately you could replace one of your monthly training and connection events with a vulnerability decomposition meeting once per quarter.
To prepare for the discussion, query your bug database from the past quarter and list the top category for security bugs. For example, your top item might be SQL injection. In the vulnerability session, present a description and technical details for SQL injection to ensure that everyone understands the issue, and then explore examples of SQL bugs that arose in the last quarter. Choose the bugs in advance, working with your response team to find the right examples.
This event requires some up-front prep work. You’ll have to do some research in advance of this session: Searching the bug database and preparing to lead the discussion will take some time. But you can invite other senior members of your security community to assist in the preparation or even to lead the session. This is a great way for them to receive exposure and grow their abilities.
When you form a CSSLP book-of-the-month club, you invite members of your community into a study subgroup and then study a topic that results in a certification, such as the CSSLP. This is an in-depth, fact-based certification for people who focus on software or application security. If you have a subgroup that is new to security, consider starting with the Certified Information Systems Security Professional (CISSP) certification instead.
Either way, the leader for the subgroup chooses a book and coordinates signups for community members. The leader creates a schedule and then offers a lecture based on the schedule. An effective way to approach this is to use a certifications preparation book and then attempt to complete one chapter per session or a specific number of pages each month. It is important to spend plenty of time in group discussion, answering each other’s questions and clarifying points that might not be clear to everyone.
Getting this activity off the ground is a bit more difficult: If you choose to lead this group, you’ll have to study each week in order to present the material and field questions on the subject. And while it does help to have the certification you are discussing, that's not mandatory.
A security day is a mini security conference that serves as a local connection point where the community can gather and network. This should be an in-person event that includes guest speakers from both inside and outside of your organization.
If you work for a global company that has many locations, consider stringing together a series of successive security days around the globe. You can reuse the agenda and some of the setup and creative materials you prepared for the first event for subsequent security days.
Your security day event should last no more than four hours and start either first thing in the morning or after noon. This allows developers and testers to attend and still get in a half day of work before or after the event.
During her talk at RSA 2016, Samantha Davidson of Uber referenced a security day where she brought in Rami Malek from the hit TV show Mr. Robot to participate in a panel for the internal Uber community. Mr. Robot is a popular show that spawns a quest for security knowledge among viewers, so it was a great connection point for the Uber security community.
I'd put the effort required to pull this off at 7 out of 10. The logistical details involved raise the degree of difficulty of hosting security days.
A capture the flag, or CTF, is a hacking challenge event where individuals or teams work out challenges contained within a known, vulnerable system or network. When they complete a challenge, they earn points toward their total score, and the challenges become progressively more difficult as contestants move through the system. At the conclusion of the event, the leader board shows the teams that earned the most points, including the winner. A CTF is a nice platform for recognizing your more technical team members.
The degree of difficulty involved in hosting a CTF event is quite high — I give it a 9 on a scale of 1 to 10 — because it's difficult to set up and to monitor. However, there are vendors that provide managed, cloud-based CTF infrastructures that can host your game. And if you want to take on the challenge of creating your own environment, you can use Carnegie Mellon's PicoCTF or Facebook's released CTF code, available as open source.
An internal security conference is the hardest item on this list to pull off. This is a multiday event, with registration, training, keynotes, conference talks, vendor sponsor fairs, and social events.
To prepare, you’ll need to host an internal call for papers and then adjudicate all the submissions. You’ll need to coordinate with many external speakers and sponsors, and you'll have hundreds of tiny logistical details that need to be worked out. The answer to a simple question such as “What’s for lunch on day one?” requires research and partnership just to pull off. If you get that answer wrong, you’ll have a line of hundreds of angry conference goers shaking their fists at you.
There are three keys to successfully pulling off a conference. The big one is to give yourself adequate planning time. A two-day conference requires six months of prep time. Secondly, you'll need to build up a team to assist in the planning process. Finally, choose partners who will help you create a successful event, including facilities, catering, and administrative support. Take care of your partners and always treat them with respect, as they are the ones who you need to rely on to bail you out if something begins to fall apart.
This is by far the most difficult community event to pull together. Be prepared to have a second full-time job if you take on the chairperson role for an internal conference like this. It is a mountain of work, but when you see the event delivered, you'll see that it's well worth it. If you wish to host an internal event but are scared off by the amount of work, consider hiring an event planner. That will offload the logistical details from your plate, and allow you to focus on the technical content and vision for the event.
So there you have it: Six ways to engage your security community. Take these ideas for activities, adapt them, and make them your own. There is no cookie-cutter approach to community building. Each event you host should reflect your organizational culture.
What do you do to build a security community?