Return of the security champions ep1 (1)
Download as PPTX, PDF
0 likes43 views
This document outlines a refresher and updated playbook for a Security Champions program. It discusses identifying teams to engage, defining the Security Champion role and expectations, nominating Champions, establishing communication channels, building a training program, and maintaining interest. The goals of the program are to have internal security points of contact for each team to help disseminate secure practices and assist with security issues. An effective training program provides Champions with knowledge and resources to promote security changes within their teams.
Return of the security champions ep1 (1)
- 1. Return of The Security Champions Ep. 1/2 Marcos Valle 10/03/2021
- 2. Agenda Security Champions refresher SC Playbook v2.0 Revisiting the 6 steps Building a training program True Benefits
- 3. whoami Sr Security Engineer @ Glovo Product Security leader SSDLC / AppSec Vulnerability Management Offensive testing Security Champions (duh)
- 4. Security Champions Refresher The internal security point of contact for the team Help team managers to monitor that best practices are followed by the team Disseminate the security by design philosophy company-wide Assist in mitigating vulnerabilities related to the team and its products Assist the security team when solving incidents related to the team and its products Actively participate in the internal and external security community. Provide assistance and feedback during PoCs. A dedicated software developer, engineer or system administrator who acts as a core element of the security assurance process within a product, service or system.
- 5. Security Champions Playbook v2.0
- 6. 1. Identify the Teams Company culture Internal/external procedures Document the results publicly Establish connections and gain trust Not just a table, human interactions! Map the existing organizational structure you will be working with.
- 7. 2. Define the role Explicitly state what is and what is not expected from them Remember: Security Champions are NOT Security Engineers What are the benefits? For the company For the Champions For their teams and managers? Time commitment (~20%): Maturity level Quantity of SCs Criticality of the team/product Document definitions in a Wiki page The main objective of this step is to come up with tangible goals, and to prepare clear role descriptions for future Security Champions
- 8. 2. Define the role Measure progress - Example KPIs # of products covered % of training path completed Rate of Increase in proactive engagements by Champions OWASP Top 10 Maturity Categories for Security Champions Project roadmap Milestones Timelines Events Main tasks
- 9. 3. Nominate Champions Per team Per platform Mobile Backend Frontend Microservices Platform UX . Remember to get approval on all levels!
- 10. 3. Nominate Champions How many Security Champions? Large enough to cover your org Small enough to keep close relationships Ideally, < 50
- 11. 3. Nominate Champions Onboarding process 1:1s Introduce newbies to the other champions Communicate it company-wide Add them to channels, events, meetings etc Start trainings ASAP Assign a first task
- 13. 5. Knowledge base Do not expect many results if you do not provide enough resources Empower developers with the right security toolset SCs have different backgrounds and experiences Static knowledge base might not be enough
- 14. Building a training program Vulnerability Management: Escalated assignment Incident Response playbooks Policies, Procedures, Standards, Guidelines Security toolset (CI/CD, SIEM, BB etc) Security Champions 101 Secure Coding / OWASP Top 10 Security Assessments Threat Modeling Incident Response Governance, Risk and Compliance Foundational Internal
- 15. Building a training program Training Sessions Trainings must provide the necessary knowledge and resources for the Champions to be able to promote a change in the security posture inside their teams. Furthermore, it is a communication tool between the core Security Team and other teams.
- 16. Building a training program General Trainings Security Champions Basics Platform Specific Trainings Level 0 Level 1 - Security Champion Level 2 - Security Champion++ Real-world experience (3+ months) Level 3 - Security Rockstar 2Q 1Q Level 0 - Company-wide training Level 1 - Foundational topics Level 2 - Specific trainings Android/iOS security Backend (Spring Boot, Java etc) Frontend (Vue, Next etc) Infrastructure (Cloud, BTD etc) Level 3 - Proven experience
- 17. 6. Maintain Interest How to maintain motivation/engagement: SRC: ENGAGEMENT MAGIC: Five Keys for Engaging People, Leaders, and Organizations Strong technical leadership is essential in the first stages
- 18. 6. Maintain Interest #security-champions Informal meetings Internal events Conferences Ask for feedback Public praise Exclusive swags Assign missions Periodic meetings
- 19. True benefits Communication Context and visibility SPOC Increased security awareness Offloading of the core security team Better overall quality of the code Makes teams and managers more secure when it comes to security Effective way to boost the shift-left movement Improvement of the Vulnerability Management Program
- 20. Thank you!
Editor's Notes
- #7: Not just a table, but human interactions!
- #8: Come up with a clear definition of the role suited for YOUR organization Reduce subjectivity, come up with concrete outcomes Measure it
- #10: This should reflect the organization structure
- #11: 50 is a reasonable upper bound
- #12: "I am a champion. Now what?"
- #13: CTFs, Hackathon
- #20: Policies, standards, guidelines, best practices can be better disseminated Reduced TTD, TTM