We know firsthand how critical it is for developers and security professionals to have a great working relationship. That extends beyond simply communicating well; for your DevSecOps program to come together so that you can secure your applications, you need to break down silos and improve security knowledge across the board.
Recently, Forrester published a report on this very topic that digs into the challenges organizations like yours face when standing up programs to support security and developer needs. The report, ‘Build A Developer Security Champions Program,’ lays the groundwork for standing up a successful program that lasts and improves the health of your application security (AppSec). Key takeaways from the report highlight:
- The importance of embedding AppSec where developers need it most
- The need for executive sponsorship and funding for your program
- Five critical steps to consider when building a program
And according to Forrester, those five steps – which cover everything from making the case to stakeholders to training your champions and showing support when they improve their skills – are critical to launching an effective security champions program.
Security champions: defined
In the report, Forrester defines security champions as follows: “Extended members of the security team that work in various roles across the organization that translate security-speak into a language that everyone can understand.” It’s about empowering your developers to become the influencers on their teams, closing information gaps, and escalating issues or concerns to the right people, at the right time.
With an established program in place that has the right tools, solutions, and resources plugged into the right processes, you’ll have an easier time scaling security knowledge within your organization. As Forrester points out, developers in well-rounded security champions programs may even go on to become great security leaders of their own down the road.
Your security team will then have a bridge in place to work directly with developers on prioritizing which flaws to remediate, furthering education on both sides of the aisle, offering more support, and measuring effectiveness.
That has a domino effect: efforts like remediation prioritization can help your developers cut down the risk of security debt by catching and remediating high-severity flaws. It’s especially impactful when you integrate hands-on training tools like Veracode Security Labs that equip developers to tackle modern threats impacting their code.
Want to learn more about setting up a security champions program of your own? Read the full report from Forrester here.