Skip to main content

Security Champions

https://owasp.org/www-project-security-culture/v10/4-Security_Champions/

Information Security people do not scale across teams of developers. A good way to scale security and distribute security across the development teams is by using Security Champions.

Security Champions help to improve the communication between the development teams and the security team. A Security Champion will know the pain points of their teammates' code bases and culture, they are then in a good position to present security in a way that directly connects with them

Security Champions should guide, not police.

Engineering and Careering (Blog)

https://engineeringandcareering.co.uk/engineering-a-solution-to-security "Security Champions is a pattern that has become popular in the last 5 years and is a way of scaling out security. It focuses on having a single point of contact for security in each team. A team Security Champion operates as a communication conduit and a review point of security quality in the team, performing security code reviews and dedicating time to security initiatives.

I don't think it's a great model on its own. While it might complement other strategies, it has several failure points worth avoiding."

Silos: a problem with lone champions

Silos of knowledge and control slow down getting stuff done by gatekeeping and destroying team ownership and flow.

Security Champion alternatives

"Every company and situation is different. But, if you want to raise the engineering standards of a set of teams, focus on how you can do so without generating silos and bottlenecks. Given these limitations of Security Champions, focus on enabling teams to do a better job and to be able to build good enough software. Whatever you provide, keep the barriers to entry low, make it on demand and as self service as you can.