The OWASP Security Champions Playbook is a project that was initiated for the purpose of gearing up the OWASP Open Web Application Security Project — namely Security Champions 2.0. This project was started at the OWASP Bucharest AppSec Conference 2017.

 

The Security Champions Playbook details the main steps required to establish a Security Champions Program for every type of organization, regardless of their size and maturity level.

What is the Role of a Security Champion?

Per OWASP’s definition: “Security Champions are the active members of a team. This team makes decisions regarding when a security team should be engaged and what security bugs are present in the applications.” The following graph illustrates the further roles and obligations of Security Champions.

(Source)

In addition to the abovementioned roles, Security Champions help define security best practices, write security tests for identified risks, monitor vulnerabilities in tools and libraries, prioritize security-related stories in Backlog and attend security conferences.

What Are the Benefits of Having Security Champions Teams?

Security Champions teams have numerous advantages. However, the primary ones are listed below:

  • They help establish a security culture
  • They engage non-security people in thinking about security
  • They scale security through the use of multiple teams

What Are the Topics in the Security Champions Playbook?

Security Champions Playbook consists of six chapters, which are listed below:

1: Identify Teams

2: Define the Role

3: Nominate Champions

4: Set up Communication Channels

5: Build Solid Knowledge Base

6: Maintain Interest

The following sections take a deep dive into the detailed description of each chapter mentioned above.

1. Identify Teams

When you want to start your own Security Champion Program, the first step is to map your existing security teams. You need to conduct one-on-one interviews with engineering leads and product owners to achieve better coverage and spread of security. During the interview, you should ask the following questions:

  • How many teams are working on one product?
  • What programming language or other technologies do they use for this product?
  • Where is the storage location and documentation for this product?
  • What internal/external services and automated tools are utilized for the development and testing of this product?
  • What is the code review process and are there any other security-related activities?
  • When is the product released (calendar date)?
  • What communication channels are most commonly employed for this product?
  • How and to whom will any bugs found in the product be reported?

After the interview, you need to conclude all this exercise in a tabular form. Here is a sample version of the table below:

Products Team Technology (s) Security Contact Team leader Product Manager BTS Any Comments
Product0 Alpha Django, Python Johnson Johnson John Smith HELO Utilization of Bandit tool

2. Define the Role

Defining the role of security champions is indispensable. It is also essential to measure the current security state in teams, which has been done partially in the previous step. This playbook doesn’t provide a detailed description for building a global AppSec security strategy. Instead, it recommends studying additional existing frameworks, such as Open SAMM. Open SAMM or Open Software Assurance Maturity Model (SAMM) help enterprises to formulate and implement a security strategy for software. You can find more information about Open SAMM here.

Once you have clearly defined your goals for your AppSec program, the next step is to define the appropriate roles for your Security Champions. The following activities are crucial in this regard:

  • Conducting or/and verifying security reviews in the team
  • Conducting or/and verifying automated scans
  • Promoting and guarding best practices. Best practices regarding the software security are crucial. These practices incorporate patching the software, training and educating users, automating routine tasks, enforcing least privilege, creating a robust Incident Response plan, documenting security policies, segmenting the network and integrating the security into the Software Development Life Cycle (SDLC)
  • Raising issues for risks in new and existing code. A source code can have several flaws that can lead to big nightmares after its deployment. For example, following lack of standards may result in the lengthy code that can further create ambiguities and performance issues
  • Building threat models for new features. This is crucial because it is a fundamental approach for identifying security weaknesses in software programs during the design phase in SDLC
  • Investigating bug bounty reports. This can help in reducing the bugs and improving the performance of the software application
  • Participating in R & D activities. This involves the innovation, introduction and improvement of the software program. Participating in R&D activities is vital to produce a quality product

In addition, numerous other activities were recognized at the OWASP Summit in 2017. Here is a link where you can find these supplemental activities.

3. Nominate Champions

After defining the roles, you need to nominate the Security Champions themselves. For this purpose, you need to use a top-down approach. This approach requires approval from the management at all levels, such as from the C-Suite management to the product owners down to direct team managers. It is also recommended that you prepare a presentation about the defined roles, explaining how these roles can be beneficial for the security team and how much time is required for security operations (20% is recommended in the playbook).

Once you get top-down approval, the next step is to identify your Security Champions through mini-interviews. It is important to remember that at this point, you are still in the nominating stage rather than an appointing stage. Make the potential Security Champions aware of the benefits of the role. The playbook describes the following benefits:

  • Working as a part of the security meta-team
  • A potential value gain in the IT industry
  • Self-development
  • Having a role in improving the quality of products
  • Attending security conferences

The final step involves official nominations and the addition of a Champion to the security meta-team. After that, the interim security contact is replaced with the Security Champion.

4. Set Up Communication Channels

This step involves creating the communication channels needed to get the nominated Security Champions up to speed. Methods for setting up these channels depend on your corporate culture. Below are some communication channels recommended in the playbook:

  • Mailing lists
  • Keybase teams
  • Yammer groups
  • Skype group chats
  • Private Slack/IRC channels

Disseminating vital information and then getting feedback on it is also essential. In addition, bi-weekly meetings at the outset can be helpful.

5. Build a Solid Knowledge Base

Building a solid knowledge base is crucial, as it’s a valuable source of answers to all common security-related questions. The underlying topics should be considered essential building blocks in constructing your knowledge base:

  • Recommended crypto algorithms
  • Password policies
  • A detailed description of risks and vulnerabilities
  • Secure development of best practices
  • Global security strategy

In addition, you will need to pay attention to creating simple, easy-to-follow checklists to make getting things going more efficient. These checklists may include the following titles:

  • Privacy checklist
  • UI security checklist
  • Third-party security checklists
  • Web/mobile security checklists

Building a knowledge base from the scratch can be a Herculean task. Several projects are available to help you with this task and make your life easier. These projects all incorporate OWASP: MASVS, ASVS and the Security Knowledge Framework.

6. Maintain Interest

The Security Champions ecosystem requires constant support to run effectively. To this end, up-to-date learning material should be provided consistently to Security Champions, and a culture of continuing education should be fostered. Additionally, you should arrange the following activities to keep them engaged in their security tasks.

  • Workshops and training: Conducting periodic workshops and training for your teams is crucial to promote best practices and make them aware of the latest security trends and news. To this end, you need to organize an interactive quiz. Example of such quizzes include:
  • In addition, announcing Hacker Thursday or starting a “Month of Bugs” program is also helpful
  • A “Security Champions corner” (e.g. a collection of conference calendars, books, articles, and security library)
  • Regular newsletters
  • Local OWASP meetings (join an existing one)

Conclusion

In this article, we’ve presented you an overview of the OWASP Security Champions Playbook. Though this playbook is small, it contains a plethora of knowledge for security professionals who want to protect their organizations from internal and external security threats.

As a Security Champion, you can perform various roles such as conducting or/and verifying security reviews in the team, conducting or/and verifying automated scans, promoting and guarding best practices, raising issues for risks in new and existing code, building threat models for new features, investigating bounty reports and participating in R&D activities.

Please consult the rest of the InfoSec Resources page for many more articles on the importance of creating a Security Champions program in your organization and the logistics required to do so.

 

Sources

Security Champions 2.0, OWASP

Security Champions Playbook, OWASP

Security Champions Playbook, GitHub

A Hybrid Approach to Threat Modelling, Sriram Krishnan