Application development can be linked closely to Newton’s Third Law of Motion: For every action there is an equal and opposite reaction. Developers simply want to develop, but seemingly whenever they want to develop, application security (AppSec) teams fire back with concerns ensuring the safety of the application, breeding tension and slowing development. In the wake of this tension, we must ask ourselves how we can go about ensuring security while maintaining a streamlined development process -- enter the rise of "security champions."
A security champion program is the process of spreading awareness around best security practices for organizational behavior in order to reduce overall security risk. Security champions are individuals who otherwise would not be involved in security, but receive additional training and incentives to represent security on their teams. The rise of security champions truly developed as a trend from the concern that the average developer is not being measured on security, and therefore is not focused on maintaining it. There is a popular belief, particularly in the use of open-source code, that security is not a part of the development process because it is not the responsibility of the developer to ensure the code is secure -- thus banking on the assumption that the code used is reliable. In fact, security teams, while necessary, are often viewed as bottlenecks in the process, preventing developers from constantly churning out code.
This all bubbles up to the creation of security champions on the research and development (RD) teams who are trained in AppSec and bridge the gap between the typical developer and the security team.
Why Security Champions are Essential
Security champions are essential in the application development process to ease the tensions between the security team and the developer. Naturally, there are two opposing forces at work with the developers wanting to develop, and AppSec teams tasked with ensuring security standing in the way of that development. Much like an everyday argument, security champions can serve as an impartial arbitrator between the development team and the AppSec team. They help shed light on both perspectives so both sides can understand the others’ reasoning and actions.
So what causes this tension? It is often stated that familiarity breeds contempt, and while this may be true, a lack of understanding is truly the source of this tension, leading to the rise of security champions. For example, though the belief by the developers may be that AppSec teams are standing in the way of their success, and AppSec teams may believe that developers are acting irresponsibly in not confirming the code security, in reality, all teams are working toward a common goal of developing effective, usable applications that are safe from disruption. Nobody is actively trying to make anyone’s life harder, and security champions serve as the conveyor of that information.
One key idea to keep in mind when implementing a security champion program is whether or not your team is currently operating effectively and efficiently. If it is, implementing the security champion strategy may not be appropriate at this time. However, if there is palpable tension between your development team and the AppSec team, and the team is consistently hitting barriers in application development, implementation of security champions could help in not just easing tensions within your organization, but streamlining the application development process and getting your organization back on track.
Additionally, on a more macro level, we must keep in mind that security is all about risk management. No team can address every single cybersecurity issue in application development. In fact, if that were the case, the field of cybersecurity would cease to exist as we know it. The understanding that developers are sometimes going to hit these "security" roadblocks is crucial, because they are in place to help organizations ultimately develop a more polished, secure product.
How and When Should I Become a Security Champion?
Now is as good a time as any to become a security champion. It is time for us to rethink the development and AppSec approach, and to incorporate security champions in order to streamline the process in not only finding the vulnerabilities in the development lifecycle, but also in remediating them before they turn into a larger issue.
Lastly, there are developers who genuinely want to ensure the application developed is as secure as possible, but the key lies in true AppSec training for these developers, turning them into the aforementioned security champions. This will enable developers to better understand the importance of AppSec, ease tension between teams, and work more efficiently.
The traditional AppSec approach is dated and takes up too much time in ensuring security of the developed code. It is time to implement a new process, and utilizing the security champions strategy can be your first step toward a revolutionized development process.
Image credit: KirillM/depositphotos.com
Ori Bendet is VP of Product Management at Checkmarx.