An overview of the OWASP security champions playbook
The OWASP Security Champions Playbook is a project that was initiated for the purpose of gearing up the OWASP Open Web Application Security Project — namely Security Champions 2.0. This project was started at the OWASP Bucharest AppSec Conference 2017.
See Infosec IQ in action
The Security Champions Playbook details the main steps required to establish a Security Champions Program for every type of organization, regardless of their size and maturity level.
What is the role of a security champion?
Per OWASP’s definition: “Security Champions are the active members of a team. This team makes decisions regarding when a security team should be engaged and what security bugs are present in the applications.” The following graph illustrates the further roles and obligations of Security Champions.
(Source)
In addition to the abovementioned roles, Security Champions help define security best practices, write security tests for identified risks, monitor vulnerabilities in tools and libraries, prioritize security-related stories in Backlog and attend security conferences.
What are the benefits of having security champions teams?
Security Champions teams have numerous advantages. However, the primary ones are listed below:
- They help establish a security culture
- They engage non-security people in thinking about security
- They scale security through the use of multiple teams
What are the topics in the security champions playbook?
Security Champions Playbook consists of six chapters, which are listed below:
1: Identify Teams
2: Define the Role
3: Nominate Champions
4: Set up Communication Channels
5: Build Solid Knowledge Base
6: Maintain Interest
The following sections take a deep dive into the detailed description of each chapter mentioned above.
1. Identify teams
When you want to start your own Security Champion Program, the first step is to map your existing security teams. You need to conduct one-on-one interviews with engineering leads and product owners to achieve better coverage and spread of security. During the interview, you should ask the following questions:
- How many teams are working on one product?
- What programming language or other technologies do they use for this product?
- Where is the storage location and documentation for this product?
- What internal/external services and automated tools are utilized for the development and testing of this product?
- What is the code review process and are there any other security-related activities?
- When is the product released (calendar date)?
- What communication channels are most commonly employed for this product?
- How and to whom will any bugs found in the product be reported?
After the interview, you need to conclude all this exercise in a tabular form. Here is a sample version of the table below:
2. Define the role
Defining the role of security champions is indispensable. It is also essential to measure the current security state in teams, which has been done partially in the previous step. This playbook doesn’t provide a detailed description for building a global AppSec security strategy. Instead, it recommends studying additional existing frameworks, such as Open SAMM. Open SAMM or Open Software Assurance Maturity Model (SAMM) help enterprises to formulate and implement a security strategy for software. You can find more information about Open SAMM here.
Once you have clearly defined your goals for your AppSec program, the next step is to define the appropriate roles for your Security Champions. The following activities are crucial in this regard:
- Conducting or/and verifying security reviews in the team
- Conducting or/and verifying automated scans
- Promoting and guarding best practices. Best practices regarding the software security are crucial. These practices incorporate patching the software, training and educating users, automating routine tasks, enforcing least privilege, creating a robust Incident Response plan, documenting security policies, segmenting the network and integrating the security into the Software Development Life Cycle (SDLC)
- Raising issues for risks in new and existing code. A source code can have several flaws that can lead to big nightmares after its deployment. For example, following lack of standards may result in the lengthy code that can further create ambiguities and performance issues
- Building threat models for new features. This is crucial because it is a fundamental approach for identifying security weaknesses in software programs during the design phase in SDLC
- Investigating bug bounty reports. This can help in reducing the bugs and improving the performance of the software application
- Participating in R & D activities. This involves the innovation, introduction and improvement of the software program. Participating in R&D activities is vital to produce a quality product
In addition, numerous other activities were recognized at the OWASP Summit in 2017. Here is a link where you can find these supplemental activities.
3. Nominate champions
After defining the roles, you need to nominate the Security Champions themselves. For this purpose, you need to use a top-down approach. This approach requires approval from the management at all levels, such as from the C-Suite management to the product owners down to direct team managers. It is also recommended that you prepare a presentation about the defined roles, explaining how these roles can be beneficial for the security team and how much time is required for security operations (20% is recommended in the playbook).
Once you get top-down approval, the next step is to identify your Security Champions through mini-interviews. It is important to remember that at this point, you are still in the nominating stage rather than an appointing stage. Make the potential Security Champions aware of the benefits of the role. The playbook describes the following benefits:
- Working as a part of the security meta-team
- A potential value gain in the IT industry
- Self-development
- Having a role in improving the quality of products
- Attending security conferences
The final step involves official nominations and the addition of a Champion to the security meta-team. After that, the interim security contact is replaced with the Security Champion.
4. Set up communication channels
This step involves creating the communication channels needed to get the nominated Security Champions up to speed. Methods for setting up these channels depend on your corporate culture. Below are some communication channels recommended in the playbook:
- Mailing lists
- Keybase teams
- Yammer groups
- Skype group chats
- Private Slack/IRC channels
Disseminating vital information and then getting feedback on it is also essential. In addition, bi-weekly meetings at the outset can be helpful.
5. Build a solid knowledge base
Building a solid knowledge base is crucial, as it’s a valuable source of answers to all common security-related questions. The underlying topics should be considered essential building blocks in constructing your knowledge base:
- Recommended crypto algorithms
- Password policies
- A detailed description of risks and vulnerabilities
- Secure development of best practices
- Global security strategy
In addition, you will need to pay attention to creating simple, easy-to-follow checklists to make getting things going more efficient. These checklists may include the following titles:
- Privacy checklist
- UI security checklist
- Third-party security checklists
- Web/mobile security checklists
Building a knowledge base from the scratch can be a Herculean task. Several projects are available to help you with this task and make your life easier. These projects all incorporate OWASP: MASVS, ASVS and the Security Knowledge Framework.
6. Maintain interest
The Security Champions ecosystem requires constant support to run effectively. To this end, up-to-date learning material should be provided consistently to Security Champions, and a culture of continuing education should be fostered. Additionally, you should arrange the following activities to keep them engaged in their security tasks.
- Workshops and training: Conducting periodic workshops and training for your teams is crucial to promote best practices and make them aware of the latest security trends and news. To this end, you need to organize an interactive quiz. Example of such quizzes include:
- Kahoot
- ProProfs Quiz Maker
- ECSM Network and Information Security Quiz
- In addition, announcing Hacker Thursday or starting a “Month of Bugs” program is also helpful
- A “Security Champions corner” (e.g. a collection of conference calendars, books, articles, and security library)
- Regular newsletters
- Local OWASP meetings (join an existing one)
Conclusion
In this article, we’ve presented you an overview of the OWASP Security Champions Playbook. Though this playbook is small, it contains a plethora of knowledge for security professionals who want to protect their organizations from internal and external security threats.
As a Security Champion, you can perform various roles such as conducting or/and verifying security reviews in the team, conducting or/and verifying automated scans, promoting and guarding best practices, raising issues for risks in new and existing code, building threat models for new features, investigating bounty reports and participating in R&D activities.
Please consult the rest of the InfoSec Resources page for many more articles on the importance of creating a Security Champions program in your organization and the logistics required to do so.
Sources
- Security Champions 2.0, OWASP
- Security Champions Playbook, OWASP
- Security Champions Playbook, GitHub
-
See Infosec IQ in action
From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader. - A Hybrid Approach to Threat Modelling, Sriram Krishnan
In this Series
- An overview of the OWASP security champions playbook
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness