As we discussed in our previous post: your best appsec engineer is already on your team, you just need to find them. In larger development organizations, however, this one person might not be enough to create the culture of security necessary for long term risk management and improved software security outcomes (aka “DevSecOps”). To do that without making additional hires, you need a Security Champions program.
A Security Champions program, or SecChamps for short, will help spread application security awareness and capabilities throughout your development organization. SecChamps are architects, engineers, and product managers who are already on your team, familiar with your code and systems, and have the relationships necessary to get things done. SecChamps will spread appsec awareness and capabilities throughout your teams, allowing you to address security earlier and more effectively.
Like any organizational change, a SecChamps program benefits heavily from strong backing by leadership. But talking about security one time is not enough. We’ve seen leaders tell their teams that security is important, only to have a backlog of known security issues keep growing and languish in Jira. Executive and Director-level leaders must frequently express to the organization not only why security is important to the business, but also provide product & engineering teams with permission to prioritize security bug fixes and features over UX improvements and other features.
Jumpstarting a SecChamps Program
Most organizations are familiar with hiring outside consultants to perform penetration testing as a common security activity. And sadly, many organizations are disappointed in the result: they feel like they are wasting money on “pretty crappy pentests” in order to achieve some level of compliance, without any lasting value to their organization. At Carve, we’ve spent a lot of time developing our security assessment services to bring lasting value to our customers. One of the services we’ve developed is a bedrock activity for rapidly spinning up our managed SecChamps program: the collaborative security assessment.
You can kick-off a SecChamps program by performing a thorough security architecture review, threat modeling exercising, and threat-driven security assessment (aka “pen test”). While standard security assessments are often very hands-off from the perspective of the engineering team, the SecChamps activities are highly collaborative, and increase the value of a pen test engagement to the client for the following reasons:
- Our methods combined with the knowledge of your team will generate higher quality findings in a shorter period of time
- Your architects and engineers get “on the job” software security training by working closely with Carve consultants
- Engagement deliverables satisfy compliance requirements for penetration testing (you can still check your boxes)
- We will generate automated CI/CD security tests so your engineers can spend more time on features and other things that drive value for your customers (Restrike testing platform)
- Engagement concludes with training based on your applications, your threats, and tailored for your organization to make resonate and actionable
By the end of the collaborative engagement, your security champions have shown themselves. These are the people who are naturally engaged during the activities, are asking important questions, are exposing security problems that they are already aware of, and will advocate for security improvements. You might end up with two, or you might end up with ten – that doesn’t matter. The point is you’ve grown your own security team quickly without making any additional hires.
What happens next? Continuous Threat Modeling
Threat modeling is a critical security exercise that helps teams determine how code should be written so that it is secure. We have seen companies save hundreds of hours of engineering time by performing threat modeling sessions early in a development sprint. Time and money are saved when an engineer identifies a design flaw before coding begins, when issues are the cheapest to fix.
At its simplest level, it is a thought exercise that allows product managers to be specific about security behavior, and engineers to purposefully write secure code. After your teams have experienced our engagement and Threat Modeling training, they will understand basic Threat Modeling principles and will instinctively begin using them during design activities. When threat modeling is happening continuously as part of your development lifecycle, you have begun to “shift security left.”
Escalation, Support, and the SecChamps Meeting
Even great software engineers don’t become seasoned security experts overnight – and they don’t need to. Your security champions will need support from knowledgeable security practitioners that speak the language of product managers and engineers. This includes software security subject matter experts, as well as representatives from the corporate security team (if one exists.) In a SecChamps engagement, Carve facilitates this support and collaboration a few different ways:
- By making our software security expertise and leadership capabilities available in real-time via Slack to engineering teams
- Leading scheduled security champions meetings where challenges and opportunities are discussed
- By liaising between corporate Information Security and Product Engineering teams to foster collaboration
Progress: how will you know this is working?
When your SecChamps program gains momentum, the champions will start raising security issues on their own. Don’t be surprised if they rediscover security issues that have previously been reported but not fixed, or if your backlog of security issues starts to grow. These are good signs. But ultimately, you want to see issues be reported AND resolved.
If the security backlog continues to grow and issues are not being fixed, it may be that the product team is not effectively prioritizing the security backlog. This is why we include product managers in our Threat Modeling training curriculum. Providing additional security training and re-explaining why these issues need to be addressed to product leaders will give them the mental models needed to better prioritize security improvements.
For quantitative metrics, consider the following indicators of security bug fixing success:
- Short-term: you want to see an increase in reported security issues
- Long-term: you want to measure and manage the time it takes for discovered security issues to be resolved; you want to see a decrease or stabilization in reported security issues as Threat Modeling takes hold and issues security issues are fixed before code is written
Use this link to schedule a complimentary, private webinar for your team on Security Champions and Shifting Security Left.
This isn’t a recorded webinar because there is no one-size fits all solution here; your security engineering program must be matched to your engineering process and the threats to your organization. We will walk you through our presentation on strategies and tactics for building security into your SDLC so that you can release code faster with greater confidence and better risk management for your business. You and your team will have the opportunity to ask questions and get feedback and advice.
Ready to get started? Schedule a meeting with us.