The document outlines the role and development of security champions within software security assurance programs, emphasizing their embedded expertise in development teams. It discusses the evolution of security programs, from occasional pen tests to comprehensive security champion initiatives designed to improve application security. Key components include defining roles, setting standards, training, and ongoing assessment to ensure effectiveness and resource allocation.

1. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Dan Cornell | CTO, Denim Group
Security Champions
Pushing Security Expertise to the
Edges of Your Organization
April 2020

2. © 2020 Denim Group – All Rights Reserved
Dan Cornell
• Founder and CTO of Denim
Group
• Software developer by
background
• OWASP San Antonio co-leader
• Over 20 years experience in
software architecture,
development, and security

3. © 2020 Denim Group – All Rights Reserved
Pandemic Haircuts
2

4. © 2020 Denim Group – All Rights Reserved
3
Advisory
Services
Assessment
Services
Remediation
Services
Vulnerability Resolution
Platform
Building a world where technology is trusted
How we can help:
Denim Group is solely focused on helping build
resilient software that will withstand attacks.
• Since 2001, helping secure software
• Development background
• Tools + services model

5. © 2020 Denim Group – All Rights Reserved
Agenda
• Background
• Evolution of Software Security Assurance
Programs
• Program Development
• Additional Resources
• Questions
4

6. © 2020 Denim Group – All Rights Reserved
Evolution of Software
Security Assurance Programs
5

7. © 2020 Denim Group – All Rights Reserved
Evolution of SSA Programs
• Random Pen Tests
• Central Software
Security Group
• Security Champions
6

8. © 2020 Denim Group – All Rights Reserved
Random Pen Tests
• Scope
• “High-value” applications
• As required by compliance
• Frequency
• Ad hoc
• Quarterly/annual
• Staffed by
• Additional duty for network vulnerability management
7

9. © 2020 Denim Group – All Rights Reserved
Central Software Security Group
• Scope
• More comprehensive
• Risk-ranking and metadata
• Frequency
• Quarterly/annual
• Targeted by risk
• Staffed by
• Dedicated software security
professionals
• Teams growing over time and adding
specialization
8

10. © 2020 Denim Group – All Rights Reserved
Security Champions
• Scope
• Comprehensive
• Risk-ranking and metadata
• Frequency
• Add CI/CD integration
• Staffed by
• Existing central Software
Security Group
• Security champions drawn
from development teams or
hired specifically for the role
9

11. © 2020 Denim Group – All Rights Reserved
What Are Security Champions?
Security expertise
embedded or attached
to development teams
10

12. © 2020 Denim Group – All Rights Reserved
Program Development
11

13. © 2020 Denim Group – All Rights Reserved
Program Development
• Mandate
• Defining Roles and Standards
• Launch
• Optimize
12

14. © 2020 Denim Group – All Rights Reserved
Mandate
• What do want your Security Champions
program to do?
• And what do you not want it to do?
• There are a lot of aspects to an application
security program
• What do you want your security champions to
accomplish?
13

15. © 2020 Denim Group – All Rights Reserved
Mandate
• BSIMM
• https://www.bsimm.com/
• OWASP SAMM
• https://owasp.org/www-project-samm/
14

16. © 2020 Denim Group – All Rights Reserved
Example Models
• Improve vulnerability remediation process
• Accelerate testing and threat modeling
• Train developers on security
• Integrate testing into CI/CD pipelines
15

17. © 2020 Denim Group – All Rights Reserved
Defining Roles and Standards
• Roles
• Standards
16

18. © 2020 Denim Group – All Rights Reserved
Roles
• Naming
• Responsibilities
• Capabilities
• Make these formal roles
with responsibilities and
advancement paths
• Explicitly set expectations
on time commitment
17

19. © 2020 Denim Group – All Rights Reserved
Example Roles and Capabilities
18

20. © 2020 Denim Group – All Rights Reserved
Example Roles and Capabilities
19

21. © 2020 Denim Group – All Rights Reserved
Standards
• “The key is
enablement”
• Standardize (to the
degree possible)
• Terminology
• Knowledge base
• Training
20

22. © 2020 Denim Group – All Rights Reserved
Standards
• Vulnerability severity standards
• Scanning and testing workflows
• Vulnerability remediation workflows
21

23. © 2020 Denim Group – All Rights Reserved
Standards
• Secure coding guidelines
• Focus on checklists/lightweight materials
• https://owasp.org/www-project-cheat-sheets/
• Vet for recency/applicability
• Training curriculum
• What topics
22

24. © 2020 Denim Group – All Rights Reserved
Launch
• Build the team
• Begin the
rollout
23

25. © 2020 Denim Group – All Rights Reserved
Team Process
• Recruitment
• Training
• Growth
24

26. © 2020 Denim Group – All Rights Reserved
Recruiting Security Champions
• Selecting and training from within
development teams
• Bringing in new team members with
security-specific duties
25

27. © 2020 Denim Group – All Rights Reserved
Select and Train
• Familiar with team, tools, processes
• Typically limited security knowledge
• Requires training and time
• Security is an additional duty on top of development
tasks
• How to identify?
• Volunteers, students with aptitude and interest identified
via training classes, hackathons
26

28. © 2020 Denim Group – All Rights Reserved
Bringing In New
• Must become familiar with teams, tools,
and processes
• Can hire for specific skills
• Security is typically their duty
• May serve as security “overlay” for
multiple teams
27

29. © 2020 Denim Group – All Rights Reserved
So Which Is Better?
• Unsurprisingly, it depends
• Go back to Mandate and Roles
• If you want to accelerate
the vulnerability
remediation process Select
and Train may be more
appropriate
• If you want to provide more
testing and threat
modeling, Bringing In New
may be more appropriate
28

30. © 2020 Denim Group – All Rights Reserved
Training Security Champions
• Should have required skills and capability
levels – refer to your Doctrine
• Options
• Instructor-led training (outside) <- COVID-19!
• Instructor-led training (inside) <- COVID-19!
• E-Learning
• Self-study (OWASP materials, etc)
29

31. © 2020 Denim Group – All Rights Reserved
Career Growth
• Must be seen as a viable
career path
• Refer back to skills and
capability levels
• Ongoing technical training
• Conferences <- COVID-19!
• Vulnerability research
• Leadership training
30

32. © 2020 Denim Group – All Rights Reserved
Periodic Reviews
• Are you achieving your
desired outcome?
• What has it cost?
• Is that the best use of
resources?
31

33. © 2020 Denim Group – All Rights Reserved
Some Thoughts
• People like the idea of Security Champions
programs
• They are harder and cost more than
expected
• If managed well, they can provide speed and
scale
• As DevOps becomes DevSecOps Security
Champions will become the norm
32

34. © 2020 Denim Group – All Rights Reserved
Success Factors
• Have a solid mandate
• Allocate sufficient resources
• Focus on enablement
• Start small and evolve
33

35. Additional Resources

36. © 2020 Denim Group – All Rights Reserved
Security Champions Playbook
https://github.com/c0rdis/security-champions-playbook
35

37. © 2020 Denim Group – All Rights Reserved
@DinisCruz
SVP of Engineering and
CISO at Glasswall
Twitter thread on their
Security Champions
program
https://twitter.com/DinisCruz/status/1252973586131881985
36

38. © 2020 Denim Group – All Rights Reserved
Questions

39. © 2020 Denim Group – All Rights Reserved
Building a world where technology is trusted.
Building a world where technology is trusted.
@denimgroup
www.denimgroup.com