Dev Teams Don’t Need Fulltime AppSec Members, They Need Security Champions

In this post, we’ll explore whether you need dedicated application security team members in your development team and what the concept of security champions is all about.

Where are all the Application Security Professionals?

There’s a shortage of application security professionals. In fact, statistics have shown that for every 1,000 developers, there’s about one application security person out there. I’ve experienced that firsthand by being in this field for over the last 10 plus years and being in a hiring position and trying to hire these application security professionals that are very rare.

A lot of teams and companies try to hire a dedicated person for a development team to handle application security where in fact they do not need that on a full-time basis. Also, forgetting about the fact that it is also hard to find that individual.

So, the answer to that is to implement a security champion, but what does that mean?

What is a Security Champion?

A security champion someone within an existing team, where you identify someone who shows interests in security. There’s always someone within your team who has a knack for security.

What you do, is you enable that person by providing the right training and support by an application security individual so that there is successful. Then they can handle majority of the problems within that development.

The question is – how do they cover issues that they don’t understand? That’s where the security champion is supported by a dedicated application security team either internally of the organization or if the organization is not large enough to have an internal application security team, they can refer to an outsourcing provider that has an application security program and can support your team such as Forward Security.

What Are the Responsibilities of a Security Champion?

What are the responsibilities, what is expected from the security champion? Can you expect them to do everything that a regular secret subject matter expert would do? No, you can’t do that because the person already has their existing duties within the DevOps function. You can’t expect them to perform 80% of the database security activities such as:

  • Reviewing false positives of reports
  • Triaging security issues
  • Participating in ongoing threat modeling
  • Being the go-to person for the rest of the development team

At Forward Security, we work closely with our clients to roll out our security champions program. We are there to support those champions, train them, and enable them to be successful in dealing with the low-hanging fruit, resolving the majority of the application’s security problems within the team, rather than outside the team.