Apiiro Risk Assessment (ASPM)
Inventory | SBOM | Risk Questionnaires | Threat Models
August 9 2021 | 2 min read
Executive | August 9 2021 | 2 min read
In a previous blog post – Security Alerts: Don’t Developers Have Something Better to Do With Their Time? – we discussed the time and effort it takes for software developers to review and triage security vulnerabilities and weaknesses that are discovered by multiple sources, including SAST, IAST, DAST, SCA tools. As part of minimizing this effort, we have seen the rise of the Security Champions program.
The two roles, Application Security Engineer and Security Champion, must work together to achieve maximum benefit from security processes, with one acting as the “governor” and the other as the liaison inside the R&D group. Let’s review the different roles each has:
AppSec Engineers help establish a Secure Software Development Lifecycle (SSDLC), including standards, processes, and tools. They adopt secure application design and architecture techniques based on well-known security practices, such as for authentication and authorization, along with secure session management and other focus areas to ensure Confidentiality, Integrity, and Availability of data.
A Security Champion Program is designed to facilitate and advocate for the role of security in development teams. First, a well-run program will identify the security-oriented developers in the team. Security Champions are involved in security initiatives and act as gatekeepers for security-related features. One of the most important responsibilities of a Security Champion is to act as a liaison between the application security team and other developers in the team or group.
Software development teams should pursue and identify those individuals that express expertise and an interest in security-related features and frameworks and also have already proven to be a “people person” and a team player for both application security and development teams.
Software developers are more likely to listen to and work with someone they already know and who has a good understanding of their tools, code base, infrastructure, motivations, incentives, and more.
Both development and security teams can benefit from this relationship:
With a strong relationship between AppSec Engineers and Security Champions, organizations can deliver code faster while minimizing re-work and risk.
To learn more about how Apiiro can help identify and enable Security Champions, schedule a demo today!