How to Turn Your Developers into Security Champions

Definition

What is a security champion?

Benefits

How can a security champion help?

Responsibilities

What does a security champion do?

Roles

Who should be a security champion?

Training

What does a security champion need to know?

Preparation

How can you start developing security champions?

Want to learn more about what it takes to be a security champion?

Watch Veracode’s Ryan O’Boyle and Tim Jarrett discuss the ins and outs of developing a successful security champion initiative.

Watch Now

What is a security champion?

A security champion is a developer with an interest in security who helps amplify the security message at the team level. Security champions don’t need to be security pros; they just need to act as the security conscience of the team, keeping their eyes and ears open for potential issues. Once the team is aware of these issues, it can then either ﬁx the issues in development or call in your organization’s security experts to provide guidance.

Security champions don’t need to be security pros; they just need to act as the security conscience of the team.

How can a security champion help?

The fact is, when it comes to DevOps, your security team can’t be everywhere at once – there are just not enough hours in the day or manpower to provide the security coverage your developers need. In addition, there’s a major security skills gap in the development industry, putting developers with adequate security experience in short supply. In fact, a recent Veracode/DevOps.com survey found that nearly 40 percent of the survey’s respondents said they struggle to ﬁnd all-purpose DevOps gurus with sufficient knowledge of security testing. That’s not surprising considering that the survey also found that 76 percent of developer survey respondents who attended college reported that they weren’t required to complete any security courses while in school. And finally, when given the opportunity to add a team member, organizations often choose to add a developer who can produce product and profit over a security team member who can be seen as a cost.

With a security champion, an organization can make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.

Because your security champion speaks the lingo of developers and is intimately involved in the project, he or she can communicate security issues in a way that the development team will understand and embrace. The best part? By increasing the security quality of code at the development stage, you’ll reduce bottlenecks at the security review stage, giving your security team more time to work on high-value tasks.

To learn more, read our blog post Security Champions: A Scalable Approach for Securing DevOps.

What does a security champion do?

As DevOps continues to shift security testing left into the earliest phases of the software development lifecycle, the security champion will be there to convey security priorities to other members on the development team. The champion’s responsibilities include:

Education. Staying up-to-date with the latest practices through ongoing training with security

Inspiration. Raising awareness of security issues within the development team

Review. Reviewing code for security issues

Escalation. Acting as the point person to elevate an issue for the security team to review

Resource. Answering developer team questions about secure coding practices

Sharing. Connecting with other security champions throughout the organization to share ideas and tips

To learn more, watch the webinar Be the Champion of Security in a DevOps World.

Who should be a security champion?

A security champion should be someone who’s familiar with the product being developed and is aware of potential security concerns. The champion is typically a developer, but could also be a QA employee, architect, designer, DevOps pro, operations employee, or even a product manager.

The security champion doesn’t have to be the Scrum Master or the lead; those people likely have enough on their plates and may not give security enough attention. However, it’s necessary for team leaders to understand and value the role of security so they can support the security champion and prioritize security as a project goal.

Tip:

No one likes being given extra work. Have security champions self-identify and volunteer for the added responsibility to ensure they stay engaged and effective. Don’t forget to manage the rest of their workload appropriately.

To learn more, check out 6 Tips for Turning Developers Into AppSec Allies.

What does a security champion need to know?

While your security champion may be interested in security, you shouldn’t expect him or her to know everything about the topic on Day One. It’s the security team’s job to train security champions so they can amplify security’s role as far left as possible.

To start, the security team should deﬁne the issues they want the security champion to watch out for. Security can then train the security champion to identify and mitigate the issue. By handing off that responsibility to the champion, the security team can use the extra time to train the next Scrum team.

It’s important to resist the temptation to prescribe solutions; security must meet Scrum teams where they are and adopt advice and training so that it fits the Scrum team’s existing process and work methods.

And a little education can go a long way. Data collected for Veracode’s State of Software Security report found that eLearning improved developer fix rates by 19 percent while remediation coaching improved fix rates by 88 percent.

Knowledge is power: Research shows eLearning improves developer ﬁx rates by 19 percent while remediation coaching improves ﬁx rates by 88 percent. #securitychampion

How can you start developing security champions?

Ready to build your security champion program? Here are a few things you can do to develop the security champions in your organization and shift security left:

Get leadership buy-in. Make sure management, the security team, and the Scrum leaders are willing to invest the time, money, and resources it will take to make security champions effective.

Set the standard. Create expectations for what security champions should do and incorporate it into their pre-existing peer review work to minimize disruptions.

Track success. Make security a KPI so your organization can evaluate the ROI of the program.

Provide training. Volunteers can bring passion, but it’s up to your security experts to provide the knowledge your security champions will need to review code for flaws and pass best practices on to the development team.

Build community. Make sure security champions have ample opportunity to meet with each other and the security team to discuss specific issues and overall trends.

How to turn developers into security champions

SECURITY CHAMPIONS 101

Definition

Definition

What is a security champion?

Benefits

Benefits

How can a security champion help?

Responsibilities

Responsibilities

What does a security champion do?

Roles

Roles

Who should be a security champion?

Training

Training

What does a security champion need to know?

Preparation

Preparation

How can you start developing security champions?

Want to learn more about what it takes to be a security champion?

Contact us for more information on or help embedding security into your software development lifecycle.

What is a security champion?

How can a security champion help?

What does a security champion do?

Who should be a security champion?

Tip:

What does a security champion need to know?

How can you start developing security champions?