The 3E framework for integrating security into the software development lifecycle includes three critical phases: Educate, Embed, and Empower. The “Embed” phase is essential for integrating security practices into development teams’ daily workflows and processes.
“Embed” is the second step in the 3E Framework. Once stakeholders have received baseline education, the next step is to embed security expertise locally into development teams. This is often called a “Security Champions” program. Security Champions act as local experts and advocate for best practices, ensuring security is fundamental to the development process. They will eventually be the champions of adopting a Security by Design mindset and take on responsibility for activities in the Empower phase.
Security Champions
A Security Champion is a member of the development or product team who has volunteered or been nominated to act as the local expert on security for their team. This individual should have an established and trusted relationship with their team and be intimately familiar with their applications, code, and technologies.
Roles and Responsibilities
A Security Champion:
- Acts as the “Security Conscience”: This person serves as the voice of security within the team and promotes security best practices.
- Provides Expertise: Acts as the go-to person for security-related matters and assists in various application security activities.
- Drives Improvements: Helps implement and drive security improvements within the team.
- Integrates Security: Ensures that security is fully integrated into the development process.
- Bridges Teams: This team acts as a liaison between the application security team and the development team, facilitating better communication and collaboration.
Profile of a Security Champion
A Security Champion does not require prior information security or application security knowledge. Ideally, they should:
- Be a developer.
- Be self-motivated and eager to learn new ideas and technologies.
- Have a passion for security and building secure applications.
- Be dedicated to protecting the organization against security threats.
- Be interested in improving their team’s security awareness and practices.
- Be influential within their team.
- Not be a manager or have decision-making power.
- Commit 20-30% of their time to security activities.
Responsibilities of a Security Champion
Security Champions work with the central security team to support application security activities. Potential responsibilities include:
- Acting as the Voice of Security: Advocating for security best practices within the team.
- Participating in Security Discussions: Engaging in discussions about security and bringing in application security team members when needed.
- Documenting Security Decisions: Making and documenting security-related decisions for the team.
- Identifying Security Needs: Helping identify user stories or requirements that may require security input.
- Implementing DevSecOps Initiatives: Supporting and implementing DevSecOps practices within the team.
- Prioritizing Security Requirements: Ensure security-related stories and requirements are prioritized in the product backlog.
- Creating Threat Models: Developing and documenting threat models for applications.
- Conducting Security Code Reviews: Reviewing high-risk code for security vulnerabilities.
- Implementing Security Tests: Helping implement security activities and tests within the CI/CD pipeline.
- Triaging Security Issues: Managing issues from static and dynamic analysis scans, penetration testing reports, and bug bounty programs.
- Overseeing Remediation Processes: Ensuring threats and vulnerabilities are addressed promptly.
- Staying Updated on Security Trends: Keeping track of modern security attacks and defenses.
- Encouraging Team Training: Motivating team members to complete security training and providing resources for ongoing education.
- Engaging with the Security Community: Participating in Security Champion program calls, forums, and events.
Time Commitment and Resourcing
Time commitments for Security Champions vary by company. In our experience, enterprise Security Champions should allocate 20-30% (1-1.5 days) of their weekly time to application security activities. Ideally, each development team should have 1-2 Security Champions to ensure redundancy and coverage.
Creating a Security Champions Program
A Security Champions Program is fundamental to the success of a mature application security program. It helps scale application security in an organization by embedding a security conscience within development teams and leveraging development team members to act as the team’s key contact for security support.
Keys to Success
- Motivation: Ensure Security Champions see the value in their contribution and participation and recognize and reward their efforts. Recognition can include formal positive communication from senior management and opportunities for personal and career growth.
- Ability: Provide the necessary training and resources to enable Security Champions to perform their roles competently and confidently. This includes computer-based or instructor-led training, workshops, mentorship, books, and conference attendance.
- Management Support: Secure dedicated support from the Security Champion’s team and management. Without buy-in, development tasks may be prioritized over security activities, risking the program’s success.
Core Activities
A Security Champions Program can be divided into four core activities: Recruitment, Training, Engagement and Maintaining Interest, and Program Management. These activities help build, organize, and maintain a Security Champions Program and network.
Figure 1: Core Security Champions program activities
1. Recruitment
Recruitment involves multiple strategies to solicit volunteers and identify people interested in participating in the Security Champions program. The primary activity required to establish and grow a Security Champions program is recruitment.
Active Recruitment:
- Performing outreach and advertising of the Security Champions Program.
- Emailing development team executives or senior leadership to nominate Security Champions after the initial advertising of the formal launch.
- Including updates on the Security Champions Program in internal newsletters, with a call to join the program if a development team does not already have a Security Champion.
- Including the Security Champions program in presentations about application security.
- Hosting regular Information Security events focused on application security and inviting development teams.
Passive Recruitment:
- Minimal advertising and effort, relying on word-of-mouth and existing networks to attract participants.
Volunteer vs. Nominations:
- Seeking volunteers for the role ensures motivated and engaged participants. If no volunteers are available, seek nominations from team leads, managers, or peers, but confirm their interest to ensure they are willing participants.
2. Training
As part of participating in the Security Champions program, Security Champions help scale, execute, and support various aspects of Application Security processes. Training helps empower Security Champions and allows them to support Application Security and the overall security culture within the organization and their respective development teams.
Training may include shadowing and mentorship, instructor-led training, computer-based training, access to online platforms, or conference and community talks or workshops.
3. Engagement and Maintaining Interest
Ensuring Security Champions remain interested and engaged is crucial to continuous success. Priorities related to their core roles and responsibilities will likely precede Application Security activities. Therefore, incentivizing Security Champions helps increase the likelihood of continued participation.
Activities associated with Engagement and Maintaining Interest may include organized events (e.g., Capture-the-Flag and Lunch and Learns), an internal security newsletter, growth opportunities (e.g., mentorship, conference attendance, and industry training attendance), recognition (e.g., letter of appreciation and recognition from management), or rewards (e.g., gift cards, t-shirts, and stickers).
4. Program Management
Program Management captures all related activities required to manage and operate a Security Champions program that does not fall into the other three categories.
The main objectives of Program Management are to:
- Ensure the program is working and meeting its objectives.
- Ensure Security Champions are engaged and still participating.
- Report on the success of the program.
Incentives and Rewards
Incentives and rewards are crucial for motivating participation. Rewards should be varied, meaningful, and aligned with individual values.
Figure 2: Diagram highlighting potential incentives and rewards, estimated cost ranges, and Security Champions coverage
Examples include:
- Management Recognition: It’s vital to the program for Security Champion work to be explicitly valued and recognized by management as a critical component of a Champion’s work responsibilities
- Dedicated Time: The work required of a Security Champion should be recognized as a separate component of the Champion’s day-to-day role, and adequate time should be budgeted solely for that specific role
- OKR/Career Framework Input: Along these same lines, Security Champions’ work should be explicitly called out in the form of explicit Objectives and Key Results (OKRs). These OKRs should be weighted to provide an exclusive benefit for achievement over team developers who do not take on this additional role.
- Security Books: Building good security knowledge and staying on top of emerging security trends is key to the Champion’s role. Consider allocating a budget for Champions to purchase relevant books to continually stay abreast of these trends.
- Gift Cards/Lunch: The Security Champion role is non-trivial and is an additional work commitment to a Champion’s normal day-to-day role. Giving them periodic gift cards can be an appreciated incentive or reward for taking on and executing that role.
- OWASP Membership: Continuing security education is key for the Security Champions role. Providing memberships in security-focused organizations like OWASP can help further that goal
- Conferences/Conference Training: Similarly, allocating time and budget for security conferences can help further that goal. A conference can take on many different forms. It doesn’t always have to be a large, out-of-town conference. Smaller, local, focused, short-duration security conferences can be equally valuable. Some conference examples would be:
- Small local conferences
- Virtual conferences
- Remote/Virtual Training: Providing exclusive or early access to remote/virtual security training can also effectively incentivize and reward Security Champions.
- Swag: Swag items (e.g., mugs, cups, hoodies, etc.) can be an effective and fun way to reward all Security Champions and help identify and highlight the role of Security Champions within the company and among the teams they are embedded in.
Start Your Security by Design
Journey Today
Gain instant access to our essential guide on Security by Design.
Click below to view or download your copy now.
Conclusion
The “Embed” phase of the 3E framework is essential for integrating security into the software development lifecycle. By establishing a robust Security Champions Program, organizations can ensure security practices are embedded within development teams, fostering a security awareness and competence culture.
This approach enhances application security and bridges the gap between development and security teams, leading to more resilient and secure software systems. The success of the Embed phase hinges on motivation, ability, and management support, making it crucial for organizations to invest in these areas to build a strong and effective security culture.