Home > Efficient > Build a Security Champions Program

Build a Security Champions Program

Building Security Capabilities in development teams

It is advisable to have a Security Champion on each development team, to be the focal point of contact with the security team, and to be regularly trained on safe development practices. Executive support for this program from the CEO/CIO is a key factor to success, as otherwise the development teams will not dedicate/commit their time consistently to this program.

What should the Security Champion be like?

Must be an information security enthusiast
Must be a person who likes to teach
Honest / trustworthy, someone who reports problems encountered for risk analysis and provides all necessary information to make decisions in response to a bug (accept the risk, stop deployment to production, mitigate the risk)

What is expected of a Security Champion?

To be with the development team on a day-to-day basis, and gives us the insider view
To learn about safety and create test cases to verify that there are no critical risks
To teach their team members
To help in building threat models , knowing the application inside out.
To be the guardian of good security practices for their team.
To be the vulnerability manager related to the code produced by their team.

Benefits

It is important to generate benefits for these Security Champions as it is additional work they are taking on, such as:

Awards for participating in training sessions
Awards for achieving security code quality goals
Security Question Sessions (Office hours)
Exclusive trainings

Gamification

It is also recommended to give it a playful aspect (Gamification) to encourage competition between teams. Examples:

Team that fixes the most safety flaws
Team that produces code with fewer defects detected by the security team
Participation in AWS Security Game Days . They are performed periodically, contact your Account Manager to identify the next available dates.

Webinar: AWS Summit ANZ 2022 - Scaling security – Optimize for fast and secure delivery (SEC5)

View Webinar

<div style="position: relative; padding-bottom: 56.25%; height: 0; overflow: hidden;">
  <iframe src="https://www.youtube.com/embed/DjNPihdWHeA" style="position: absolute; top: 0; left: 0; width: 100%; height: 100%; border:0;" allowfullscreen title="YouTube Video"></iframe>
</div>

Amazon’s own internal Security Guardians program

If you would like to know more about our program called Amazon Security Guardians review this blogpost: How AWS built the Security Guardians program, a mechanism to distribute security ownership .

Workshops

Threat Modeling the right way for builders: https://catalog.workshops.aws/threatmodel/