How Do Security Champions Enable a DevOps Culture?
DevOps as a whole is a state of mind for organizations. It helps them to deliver applications and services by espousing a culture and best-practice methodology that drive product development and service provision.
Champion roles are important in IT circles, especially where product knowledge or specific framework knowledge is required. But how do security champions fit into the more traditional DevOps space? Quite well, as it turns out.
Security champions are an important backup mechanism. They help to keep the wheels turning in a project, and by taking leadership-type roles and decisions within smaller dev teams, security champions create a buffer for the team leader and can give them the freedom that they need to drive the project forward while reinforcing security best practices in the project.
First things first: identify who you are working with and who is going to be performing which tasks. This sounds obvious, but it needs to be done as early as possible during the course of your DevOps champion project. The main purpose of this exercise is to distribute the implementation of security practices. Documenting these teams is also important so that the rest of the development departments all know who is responsible for which tasks.
In order to do this, it is generally a good idea to speak with the technical managers and decision-makers (such as product owners and company heads) and find some answers to key questions. Find out how many people are working on the different projects that are being undertaken and how they fit into the dev teams that are currently working on the project. Find out what programming languages and frameworks are being used, as well as the current status of their implementation.
Security Champion Role Distinction
Each team should have its own security champion designated to them. To make sure that this is done effectively, the security champions need to know exactly they are supposed to be doing. Clear goals and objectives need to be set up for them to follow and the rest of their team must communicate effectively in order for the best security practices to be implemented in the project.
The actual security framework that the project follows as a whole would have already been chosen when the project was in its planning phases, so the security champions need to ensure that the input they give their teams is in line with this overarching set of guidelines. Team members will need to work with the security champions in order for the security of the application to stand up to the rigors of a code audit and penetration testing.
Security champions must conduct regular security reviews, especially as milestones are achieved or are about to be achieved. This is only made possible by the rest of the team’s adherence to the best practice models that have been instituted in the department. The issue of guarding security best practice is not the sole domain of the designated team champions; rather, it is a collaborative exercise throughout the entire project team.
This means that raising issues such as security flaws and potential risks in the programming of the application is everyone’s responsibility. Each and every new feature should be understood from a threat assessment point of view and each security issue must be addressed and added to a development snag list.
Developers and security champions don’t have to wait for a pentester to come and test out their application. Auto-scans and pentests should be regularly conducted as part of the internal development process.
Choose Your Champions
Everyone now knows what the teams need to be doing, as well as what the security champions are responsible for, so now it’s just a question of finding the right people to assume this vital role. This is generally driven by the project manager and product owners but consultation with the dev teams is not unheard of, as agreement on all levels usually results in a far smoother process.
The chosen security champion will be constantly communicating with their team, ensuring that security is a top priority with all development. This reinforces the notion that everyone is responsible for security, and not only the one or two people in the project. To further bolster this position, define a minimum amount of time to be spent on security-related efforts so that the developers are always thinking about ways to make the application that much more secure.
The important thing to remember is that most people are not thrilled with the prospect of picking up more work responsibilities than they already have. As a result, you might find that you will have to sell the security champion tasks as a benefit to the nominees that have been earmarked for this role.
There are some positive takeaways for these champions, such as being able to add this role to their resumes and additional training and exposure to product owners and management. Security champion roles can also lead to career advancements and career development, so it really does have some solid benefits.
Keep the Information Flowing
Security champions need to be in constant communication with their team, as well as the project leader. How your company does this is up to them, as there are hundreds of different communications channels that can be used for collaborative project work. Messaging apps, email, VoIP apps and even mobile phone apps are all quick and non-invasive communications methods that can help your team to stay in touch without losing out on productivity, as is the case with continual meetings in the boardroom.
You will also want to centralize as much of the technical data as possible so that your team has secure access to it. There are plenty of solutions out there, some of which are free. This can encourage a collaborative approach to product development rather than keeping everyone in isolated smaller groups that do not communicate and share knowledge with one another.
Conclusion: The End Game
If utilized correctly, your security champions should be bringing added value to your project. The intention is that they help to create a culture of security awareness and consciousness, which in turn leads to safer applications and higher-quality security features.
This takes an immense amount of pressure off the team lead, as they only need to check in periodically with the security champions of each team rather than drill down into the project as a whole and then try to assess the level and implementation of security in the application.
DevOps needs security champions to help them to instill a sense of responsibility, initiative and drive within their department. As things progress, so too will the level of participation of your security champions. This has knock-on benefits for the company as a whole, as security champions start to launch their own initiatives and suggestions that will ultimately contribute to the product and the organization.
Security Champions Playbook, OWASP
Adding Security into the DevOps Culture, Signal Sciences