Building Security Capabilities in development teams (Security Champions)

It is advisable to have a Security Champion on each development team, to be the focal point of contact with the security team, and to be regularly trained on safe development practices.

What should the Security Champion be like?

  • Must be an information security enthusiast
  • Must be a person who likes to teach
  • Honest / trustworthy, someone who reports problems encountered for risk analysis and provides all necessary information to make decisions in response to a bug (accept the risk, stop deployment to production, mitigate the risk)

What is expected of a Security Champion?

  • To be with the development team on a day-to-day basis, and gives us the insider view
  • To learn about safety and create test cases to verify that there are no critical risks
  • To teach their team members
  • To help in building threat models, knowing the application inside out.
  • To be the guardian of good security practices for their team.
  • To be the vulnerability manager related to the code produced by their team.

Benefits

It is important to generate benefits for these Security Champions as it is additional work they are taking on, such as:

  • Awards for participating in training sessions
  • Awards for achieving security code quality goals
  • Security Question Sessions (Office hours)
  • Exclusive trainings

Gamification

It is also recommended to give it a playful aspect (Gamification) to encourage competition between teams. Examples:

  • Team that fixes the most safety flaws
  • Team that produces code with fewer defects detected by the security team
  • Participation in AWS Security Game Days . They are performed periodically, contact your Account Manager to identify the next available dates.