A 2 minute read written by
We all know it; application security is a shared responsibility and everyone in the team should act according to the secure lifecycle development process. But our experience is that security is one of the first non-functional requirements that are dropped when deadlines approaches or when management is setting up a budget for the next period.
Some organizations have a security team or group. That can be a good start, but it can be problematic that the people that "does" security, are split from the people that "does" application development. Often the security team is busy making security policies, while the development teams are busy producing functionality. Neither meet to discuss and exchange points or view. At some point the security team may call for a meeting where they present their brand-new security policy, which they already told the board all the teams are following. The development team themselves are usually behind schedule and do not have time to implement the newly presented security policy.
How can we improve on this situation? One approach is to introduce a role in the team which is the liaison between the security team and the development team, the security champion. Why a role you may ask. In our experience managers react well to roles and by formalizing this, some actual pressure can be applied when it comes to prioritizing security related issues (before they are exploited).
The security champion is a member of the team which should help the common responsibility of improving security awareness. She should be the goto when it comes to discussing best practices and how other teams approach common issues. The security champion should be part of the prioritization of the team's backlog, in cooperation with the product owner. It is important that the product owner understands that he is responsible for all aspects of the product being created, security included.
In a multi-team environment security champions should meet regularly to discuss and coordinate security efforts across teams. The CTO and/or members of the security team should be present at these meetings. The champions should then update the team on any changes to policy or upcoming blockers from other teams. By being a single point of contact for the team, the risk of reported security issues being lost or forgotten is reduced.
The security champions can also arrange awareness activities; such as monthly presentations of best practices, lessons learnt, workshops on various tools and capture the flag events. By raising the focus on security in the whole organization, the risk of being the victim of a security incident is greatly reduced.
If you don’t have a security champion on your team, take the opportunity and become one!