In a previous article [1], I've started to talk about DevSecOps and the concept of "shifting left" security.
In order to move security checks to the early steps of development, a great help may be the presence of a security-aware person in every scrum team, the so-called "Security Champions".



Shifting Left and integrate to “Fail Quickly”

Integrate security into the CI/CD process as early in the development lifecycle as possible. 

The goal should be to minimize the gap between the discovery of a problem and the time it takes to bring the developer back in to fix it.

That’s because it’s much faster, cheaper and easier to ask a developer to fix something they just coded compared to something they wrote six months ago. 
The longer you wait, the longer it will take for the developer to get back up to speed with that particular code, assuming the developer is even still on the project. [1]

So, a best practice could be use automation of tests while the developer is writing the code, giving them instant feedback so they can make a fix before it ever becomes a problem.

However, that doesn’t mean security is now the responsibility of developers. 

It would be unrealistic to expect developers to have the same expert understanding of security in the same way cybersecurity professionals do; further, they are often motivated to deliver code as quickly as possible, creating a potential conflict between fixing a security issue now versus putting it off until later.
Indeed, a partnership between development and security is strictly needed, where security defines the acceptable security quality level and developers implement continuous testing to address issues as they appear.

In this context, the figures of Security Champions are really useful.


Who are the Security Champions?

According to OWASP definition, Security Champions are

active members of a team that may help to make decisions about when to engage the Security Team

In a DevOps environment, security isn’t responsible for making sure an application is secure: everyone is!

But often most developers aren’t trained in the practices of secure coding, and security teams typically have a limited understanding of how developers work and often fail to recognize what they need to do their job properly.
Security’s goal then becomes more about giving the development team the tools, process, expertise and governance needed to empower them to find and fix flaws in their code.

A security champion can bridge this gap by better translating: by embedding application security knowledge directly in the team, you can give your security team a force multiplier while reducing culture conflict.
So it's important designating one person on the development scrum team as the go-to resource for application security: a security champion embedded with every scrum team ensures to have security represented in every design decision and at every stand-up.


Build Security Champions

https://www.youtube.com/watch?v=GGteWLrqlzA

A good Security Champion should have this characteristics:

  • Developer: a security champion must have the skills of a professional developer, but also clearly understand the importance of security practices and the needs of the larger business.
  • Security passionate: security champions are self-appointed advocates for project security. Because of this, they have a naturally keen interest in integrating security into development processes.
  • Development process aware: a security champion must not only know how to code in a secure way, but also how to address a development team’s priorities, including having a deep understanding of the benefits and goals of the DevOps model.

On OWASP website is available a useful article [2], with six easy-to-follow steps to deploy security champions in your teams:

  1. Identify teams
  2. Define the role
  3. Nominate Champions
  4. Set up communication channels
  5. Build solid knowledge base
  6. Maintain interest

Every step include general recommendations, links to known good sources as well as personal experience.

Finally, security champions should regularly get together with security experts to discuss security issues in the news and build a community focused on security within the company.

The goal is the creation of a "Culture of Security": security needs to be prioritized, in order to become a business metric.


References

  1. Some thoughts about "Shift Left" security in DevSecOps
  2. Security Champions Playbook - OWASP