Dev Teams Don’t Need Fulltime AppSec Members, They Need Security Champions

In this post, we’ll explore whether you need dedicated application security team members in your development team and what the concept of security champions is all about.

Where are all the application security professionals?

There’s a shortage of application security professionals.

According to James Wickett, Senior Security Engineer at Verica, he
cites a ratio of  “1 InfoSec person per 10 infrastructure people per 100 developers in large companies.”

I’ve experienced this firsthand being in this field for the last 10 plus years and in a hiring position. Trying to hire these application security professionals is difficult because there are so few of them, especially ones with prior software development experience.

A lot of teams and companies try to hire a dedicated person for a development team to handle application security where in fact they do not need that on a full-time basis. Also, forgetting about the fact that it is also hard to find that individual.

The answer to that is to implement a security champion.

What is a security champion?

A security champion someone within an existing team, who shows an interest in security. There’s always someone within your team who has a knack for security.

By enabling that person with the right training and support from an application security individual, they can handle a majority of the problems within that development.

The question is – how do they cover issues that they don’t understand?

The security champion is supported by a dedicated application security team either internally, or if the organization is not large enough to have an internal application security team, they can refer to an outsourced provider such as Forward Security that has an application security program and who can support your team.

What are the responsibilities of a Security Champion?

It’s not reasonable to expect the security champion to do everything that a regular security subject matter expert would do. That individual already has their existing duties within the DevOps function. However, you can’t expect them to perform 80% of the database security activities such as:

  • Reviewing false positives of reports
  • Triaging security issues
  • Participating in ongoing threat modeling
  • Being the go-to person for the rest of the development team

At Forward Security, we work closely with our clients to roll out our security champions program. We are there to support those champions, train them, and enable them to be successful in dealing with the low-hanging fruit, resolving the majority of the application’s security problems within the team, rather than outside the team.

How Mature is Your DevSecOps?

Our comprehensive DevSecOps Maturity Assessment covers 8 key phases of DevSecOps practices, 29 questions in total.

By evaluating your team on each capability, you can determine if your DevSecOps maturity level is early, intermediate, or advanced. Your assessment includes a custom report that provides your overall maturity as well as detailed recommendations you can take to enhance your security posture.