In a perfect world, all developers, developer managers, and product owners would be champions of security. But we don’t live in that world and I don’t see that happening anytime soon. Developers are the ones that actually do security, they write code and fix security vulnerabilities. Application Security people just wave their hands around and give long speeches about how DevSecOps (Developer Security Operations) will save the world but it won’t. Developers that care about the quality of their code will.
So how do you even get this shit started anyways? Start small. Find the developers that are interested in AppSec and start working from there. In fact, find anyone that will listen to you talk to them about AppSec. Schedule meetings with dev leads, dev managers, anyone. Shit, schedule meetings with your managers and make sure they understand AppSec, because they probably don’t.
Once you have some people listening to you, start getting a list of interested parties. These people will be your first security champions! Be excited. Try to get at least one person from every team. Meet with them for 30 minutes once a month, and as the teams get more mature, you can back this off to once every other month or once a quarter. But you will want to meet with them at least once a quarter.
In these meetings, find out what they have been working out, what they are going to be working on, and what issues they are running into. This will help you figure out what teams to focus on, especially if you have 20 teams to worry about like me. Go over any open vulns with them and make sure there are tickets in their backlog to address these issues. Help them understand the security issues in their apps and make sure they know why it is important for them to fix. Use this time to figure out what their application does, why it does what it does, what problems they are trying to solve, and whose problems they are trying to solve.
As your Security Champions program matures, figure out what works for you and do those things. This advice is only to get you started. Here are a bunch of other smaller sections of advice for your reading enjoyment.
Code Learn to code. How do you expect developers to listen to you if can’t hop in the code and help them fix their problems? That is all for this section.
Outreach all the things Go make friends with your developers and figure out what motivates them. Most developers just want to build cool shit, so figure out how to make sure they can do that in a secure way. If you make them jump through a bunch of hoops then they probably aren’t going to do it.
Help Developers with other things Sometimes you are the only point of contact in Information Security for your developers. When the proxy breaks or when some other security control is fucking up their shit and they can’t get it working, you will be the person they will probably reach out to. Point them to the proper people to help them fix their problems or their tickets will go unresolved for weeks and just magically close one day. They will remember that. Make yourself available all the time. You will be interrupted a lot but at least they will start asking you questions relevant about security eventually.
Training I originally started out with Lunch and Learns. Once a month from February to November (January and December suck because everyone is on vacation) for the first year I gave a talk on one item from the OWASP Top 10. Some months I had close to 40 people watching my talks, and some months I had 2. But those 2 got the same great show I would give to the 40 developers. If those developers took time out of their day to watch my crappy talks, I made sure it was worth their time. Question and answer sections are usually a lot better with smaller groups than big groups. These hour training sessions I would spend about a day preparing and creating the talk and the slides. Again, just steal everything. Take things you like from other people’s talks that you like. Other people probably did it better anyways.
For Security Champion specific training, get a 3rd party security consultant to come in and give it. You probably won’t have time to put together a 2-3 day training class, and if they are local, you will be supporting the local economy. You will want to call this “Secure Code Training” when you are pitching this to your bosses, developer managers, and such. But really you want to just have them learn how to hack web apps. It is fun and engaging, and they will probably be more interested in security once they can pull off a few little cool attacks.
Recognition Now I suck at this part, but I am doing better. If your company has built in recognition programs, make sure to use those. Write emails to the security champions’ manager when they do something good, or just write it anyways, especially around review time. Remember, some of these Security Champions are gonna be voluntold, so make sure you make it’s worth their time. If you have the budget, try to do a yearly lunch or dinner with all of the Security Champions. And none of the crappy pizza, take them out somewhere nice. If you have other good recognition programs that work, hit me up because I need some help too.
Quality software is secure software The quality, QA, SDETs teams should be your biggest allies. These guys are fighting the same fight you are and you want these guys on your side. Make sure they are included in your training. Also, make sure they are part of the Security Champions program as well.
Support from Management and Product Remember, developers can only do so much on their own. You really need to get the managers and product owners on board. All the agile people like to do sprint planning and all that shit. So making sure the managers and product owners understand the importance of security might make your job a bit easier if they prioritize your security bugs and features into their sprints.
Tip #5: All developers love EDM. Electronic dance music or EDM puts developers into “the zone”. The zone is where developers go to be highly focused and creative at the same time. When you are meeting with developers, play EDM on your cell phone at a soft volume when it is in your pocket. Developers will be more focused and more productive during your meetings with them. If you do not have a cell phone, you can repeat “uhn tiss uhn tiss uhn tiss” under your breath after you are done talking.
Security Champions Pyramid
I was told by a friend that I didn't have enough diagrams in my blog. In my on going quest of self-improvement, I have decided to create a diagram and a new idea called the Security Champions Pyramid. The idea is simple. As the AppSec Dude, you recruit 3 Security Champions. Then, each of those recruit 3 more Security Champions, and so on. Keep doing this until everyone in the world is a Security Champion. If you find a way to make money from this let me know.
About the Author
Ray is a Life Coach and Conspiracy Theorist. He does AppSec in his non-spare time for money. Twitter