Application security has always been important. But since organizations are constantly moving towards shorter development cycles, increased release frequency, and increasingly complex application architectures, it has become more important than ever to consider application security at all stages of the development lifecycle.
To do so, the mindset of development teams must evolve, and those who are building the software must take greater responsibility for the security of the end product. In other words, instead of relying on an extensive post-development testing phase to root out security shortfalls and bolt on solutions, teams must take a more shift-left approach.
Making an effective move towards a shift-left approach to application security requires developers to increase their awareness of security concerns during the design and development phase as well as employ secure coding practices to avoid introducing vulnerabilities into their applications and services. Changing the culture in this way will almost certainly require help at the ground floor – that is, from the development team itself. And one way in which organizations can acquire such help is through selecting and empowering developers to act as security champions.
In the context of AppDev, security champions are motivated developers who are interested in continuously exploring and adopting best practices for coding securely. These developers must be willing to take an influential position within their development team as well as their wider organization.
As security champions, select developers must act as resources for the security team, facilitating a better understanding of the processes that the development team follows. In addition, they must be willing to assist fellow development team members with security-related questions and educate them about using the secure coding practices that are necessary for ensuring that their applications are being built with security in mind. At a higher level, security champions can be involved in setting their organization’s standards for coding securely as well as bringing greater awareness of security concerns to the organization as a whole.
These responsibilities come with career-building benefits for the developers who fill this crucial role of mentor and evangelist. One of the most significant benefits of being a security champion is the increased potential for career advancement. As in most professions, proficiency in a critical aspect of one’s job often results in recognition from leadership. This can go a long way towards opening doors for advancement when the opportunity presents itself. By positioning themselves as experts on the subject of secure development practices, security champions make themselves invaluable to their organization.
Moreover, mentoring other developers on the team can have additional benefits that can be just as rewarding as advancing one's career. Through leading by example and serving as a resource for security-related concerns, security champions earn the respect of their peers while helping to instill a mindset of shared responsibility for security at the AppDev level. This can help facilitate a positive change in culture, enabling the development of more secure end products while helping the organization move towards a less siloed work environment. In this case, that means an environment in which security and development teams work together with greater cohesion.
The Challenge of Culture Change in the Context of Application Security and Modern Application Development
Security champions promote the concept of shifting security left in the delivery pipeline, increasing security awareness, and addressing such concerns at earlier points in the development lifecycle. While the benefits of such an evangelical role can be excellent, it is not without its problems. As with any significant shift in an organization’s culture, changing the way things are done in the context of AppSec can be challenging.
No one can argue that application security isn’t important, but security champions may face issues with buy-in from development teammates who feel that engaging these security concerns at the design and development phases will slow down AppDev. These folks might see the upfront cost and overhead involved in integrating security into the development process and feel that it will put a strain on the team’s ability to deliver changes efficiently. What they’re missing, though, is the fact that this culture change will lead to significant savings at the end of the development cycle.
The truth of the matter is that making security a shared responsibility across domains and considering it at the earliest points in the development process lowers risk. Not only does it reduce the inherent risk of introducing security vulnerabilities in production, but it also reduces threats to the delivery schedule. In other words, continuously evaluating and addressing security issues throughout the development process decreases the likelihood that teams will discover significant security vulnerabilities (the kind that can upend a release schedule) as critical delivery deadlines approach.
So what does it take to be a security champion in the world of modern application development? While the answer may vary a little across AppSec programs, the core remains the same. The ideal security champion should:
- Be motivated and driven to build highly-secure end products.
- Have a strong interest in engaging in continuous educational opportunities in the realm of application security and staying up-to-date as the landscape evolves.
- Be willing to act as a resource for their peers, answering questions and mentoring them on secure coding best practices.
If you would like to learn more about Gartner’s perspective, download this Gartner report to get a clear understanding of their recommendations to leverage Security Coaches (Champions) in organizations like yours.