Better together: Security champions and application security engineers

In a previous blog post – Security Alerts: Don’t Developers Have Something Better to Do With Their Time? – we discussed the time and effort it takes for software developers to review and triage security vulnerabilities and weaknesses that are discovered by multiple sources, including SAST, IAST, DAST, SCA tools. As part of minimizing this effort, we have seen the rise of the Security Champions program.

The two roles, Application Security Engineer and Security Champion, must work together to achieve maximum benefit from security processes, with one acting as the “governor” and the other as the liaison inside the R&D group. Let’s review the different roles each has:

Application Security Engineers

AppSec Engineers help establish a Secure Software Development Lifecycle (SSDLC), including standards, processes, and tools. They adopt secure application design and architecture techniques based on well-known security practices, such as for authentication and authorization, along with secure session management and other focus areas to ensure Confidentiality, Integrity, and Availability of data.

Security Champions

A Security Champion Program is designed to facilitate and advocate for the role of security in development teams. First, a well-run program will identify the security-oriented developers in the team. Security Champions are involved in security initiatives and act as gatekeepers for security-related features. One of the most important responsibilities of a Security Champion is to act as a liaison between the application security team and other developers in the team or group.

Software development teams should pursue and identify those individuals that express expertise and an interest in security-related features and frameworks and also have already proven to be a “people person” and a team player for both application security and development teams.

Software developers are more likely to listen to and work with someone they already know and who has a good understanding of their tools, code base, infrastructure, motivations, incentives, and more.

A Symbiotic Relationship

Both development and security teams can benefit from this relationship:

• Application Security Engineers:

• • 1. Have an “inside” person acting as an advocate for security-related features and tools
    2. Receive valuable information and feedback from development teams about “pain” points with tools and methodologies
    3. Benefit from Security Champions’s ability to smoothly manage push-back from development teams that usually happens when integrating new tools or processes into the SDLC

• Security Champions

• 1. Have better access to the security department and can influence procedures that are set up by the security team
  2. Can help the Dev teams accelerate delivery and minimize re-work by helping identify and address security issues earlier in the SDLC
  3. Learn about security in-depth with specialized training, making them more valuable to their teams and the organization as a whole
  4. Have the opportunity to take on a leadership role on their teams

With a strong relationship between AppSec Engineers and Security Champions, organizations can deliver code faster while minimizing re-work and risk.

To learn more about how Apiiro can help identify and enable Security Champions, schedule a demo today!