3. Agenda
Whoami
What is a Security
Champion?
What do they do?
Why you should
become one
Who Qualifies
Training Security
Champions
What it takes to be
a Security
Champion
Weekly Meetings
Threat Models
Jira Risk Overflow
Security
Champions
Playbook
Benefits of Having
Security Champs
4. root@whoami
• Kunwar Atul
• Yet another Appsec and DevSecOps Guy
• Break – Fix – Repeat
• Part time Bug Hunter
• Synack Red Team Member
• OWASP MASVS Hindi and DevSecOps University Contributor
• I Love Knowing What’s Going On (emerging vulns, tools, PoC),
CTFs, Offensive Security Work, Cricket, and no compromise with
food and coffee.
• Social media- kunwaratulhax0r
5. What is a
Security
Champion?
Security Champions are active members of a team that
may help to make decisions about when to engage the
Security Team.
Act as the "voice" of security for the given product or
team.
Assist in the triage of security bugs for their team or
area.
Focused on the AppSec part of Security activities: code,
apps, CI, secure coding standards, threat models,
frameworks, code dependencies, QA, testing, fuzzing,
dev environments, DevOps,…vs traditional Infosec:
Networks, Firewalls, Server security, Antivirus, IDS,
Logging, NOC, Policies, end-user security, mobile
devices, AD/LDAP management,…
6. What Do They
Do?
Collaborate with other security champions -
Review impact of 'breaking changes' made
in other projects
Attend weekly meetings
Are the single point of contact for their
assigned team
Ensure that security is not a blocker on
active development or reviews
7. Why You
Should
Become One
Great opportunity for your career
Learn more
Application Security
•Offence techniques (‘how to
exploit an OWASP Top 10
vulnerability’)
•Defensive techniques (‘how to
write secure code’)
•Code review techniques
Solve hard technological problems in
development, testing, visualization.
Meet members from other teams and
improve your internal network.
9. Training
Security
Champions
Training is key to improve SC skills.
Wiki pages with links to actual issues and relevant
resources make a massive difference.
Best training is done on top of languages and
frameworks used.
Using vulnerable by design apps (or older versions of
current main apps with known vulnerabilities) are a
great way to learn (by exploiting them).
10. What it takes
to be a
Security
Champion
To become a security champion, it is
essential that you want to be one.
You need to be a programmer, and
understand code, because your job is to
start looking at your application and
understand its security properties.
11. Weekly
Meetings
• Should happen every week, but a good
compromise is for them to occur every other week.
• Some examples of what to present at these
meetings:
• Latest news on AppSec (DDos, exploits, etc..)
• Latest bug-bounty findings and payments (a
really good source of real-world examples)
• Issues found and issues fixed (on the SC's
application or service)
• Secure coding techniques
15. Identify The
Teams
1 product = 1 team?
Technologies?
Documentation?
Communication?
Management?
Current reviews?
Release calendar?
16. Define The
Role
Produce Produce clearly defined roles for the
Champions.
Identify Identify places where Champions could help.
Define Define goals you plan to achieve in mid-term.
Measure Measure current security state among the
teams.