This is the multi-page printable view of this section. Click here to print.
A Security Champion is a person who acts as a driving force and motivator for security work within a team or department/unit. The responsibility for security lies with the team as a whole, but as a Security Champion, you contribute to awareness and focus.
Simply put, a Security Champion is an ambassador for security, the team's security conscience.
The term “Security Champion” has become an established concept to encompass people who do not necessarily work directly with security but can act as a bridge between formal security roles and development teams.
There are many ways to implement a Security Champion program; OWASP has a relatively comprehensive list of points for a program where Security Champions have a more formal role. At Bouvet, we have chosen a different solution inspired by NAV and Equinor where it is more informal, and each person can contribute as much as they can and have the capacity for.
This will vary between regions, units, and teams, but largely it is up to each Security Champion to decide how much they can engage beyond their own project. The Slack channel #security-champions is used to announce events, share useful information and anything else related to Security Champions in Bouvet.
In addition, many use the Slack channel #sikkerhet to share news, ask questions, or post tips and tricks. Some regions also have regular meetings for all Security Champions, in addition to arranging courses, meetups, lectures, and much more.
Bouvet is becoming a large company with a wide range of projects we work on, and security is a vast area where everyone has something new to learn every day. We love sharing knowledge, so it’s great if YOU want to get involved and share what you know with others - no matter how low or high the threshold for understanding might be.
And most importantly, we primarily sell competence, and more engaged Security Champions is never a negative thing. If you are unsure about what you are allowed to do or not, talk to your nearest manager and other Security Champions in the region, and you will surely find a solution.
Regardless of your background (developer, tester, project manager, etc.), points 1, 2, and 3 can be done by everyone.
You can start by asking yourself a few questions:
As you begin to create awareness, you can move on to find out more. Now you can start taking some initiative in your team.
A good starting point is to organize a threat modeling exercise. You don’t need to know anything about threat modeling, but you can get some support here and on the Threatmodeling manifesto website. The goal of this threat modeling is for you and your team to become aware of threats and perhaps start the thought process around countermeasures.
Consider establishing a bug bounty program (rewarding for finding bugs) or something that gets your team actively involved in finding challenges that should/must be solved.
Be a bit creative and try to get the team involved; a Security Champion who doesn’t get the team involved often doesn’t accomplish as much as they would like.
If the answer is yes, let’s correct that to no. There is always more that can be done. We have created a checklist that should be checked for every single project we are involved in; all our delivery teams should have a relationship with the points in this list and understand the risks they pose if useful measures are not implemented. You can find the list here
Going through this list helps you gain control over, among other things:
Remember, you don’t have to do everything at once; get the team involved and do it part by part until you have even better control over the project. You don’t need to know everything about this, but together with your team, you should be able to figure it out.
Based on the ethics taught in the military, we get some clever questions we can use as a starting point.
Now it’s time to look at a classic called OWASP Top 10 and make sure we have avoided these mistakes, but this is basic. To really have control over the code and solutions, we need to tackle other measures - you can find several of these described in the article on security practices
Most regions in Bouvet have their own Security Champions gatherings on a regular basis, where knowledge, tips, tricks, and much more are shared. Get involved here and help build a regional security culture in the developer teams!
All developers should be familiar with the basic principles of security and secure development, but to achieve this, we need to go out among people and share knowledge. OWASP Top 10 is always relevant, so if you feel like it - set up a session with colleagues in the surrounding units. You can make it super fancy and run demos of every single point, but you can just as easily make it low-threshold and simply talk through the points.
The most important thing is that you engage and help spread knowledge!
There is a national Security Champions community where you can get involved to meet like-minded individuals. Several conferences and user groups in Norway related to security offer opportunities to contribute, such as: