Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Champions Playbook

Published bySusanto Tedja Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Champions Playbook"— Presentation transcript:

1 Security Champions Playbook
Moscow, Alexander Antukh

2 Whoami Head of AppSec Opera Software @c0rdis

3 Champions, really? Security champions is an interesting concept of scaling security in multi-team companies. During this presentation I'll share experience of building a team of champions, challenges we had to overcome, and introduce you security champions playbook, so you could play and build your own team.

4 Previous work Nice presentation “Security champions v1.0”
“New era of software with modern appsec”

5 Imagine theoretical situation
Many projects Even more teams Different technologies No strong security culture VS YOU

6 „Security is important! But…”
… it’s good enough for now … these risks are not relevant … it’s just a pilot project … we’re changing too fast … third-party will do it for us … we don’t want no formalisms

7 So what’s with the Champions?
Security champions is an interesting concept of scaling security in multi-team companies. During this presentation I'll share experience of building a team of champions, challenges we had to overcome, and introduce you security champions playbook, so you could play and build your own team.

8 Security Champions Developers QAs Architects Designers …
Anyone interested!

9 Security Champion is … someone with an insight to the project internal kitchen

10 Security Champion is … someone who becomes the team’s security SPOC

11 But what’s more important, it’s …
someone who wants to upgrade security

12 Benefits of having sec champs
Scaling security through multiple teams Engaging “non-security” folks Creating a security culture

13 Security Champions at

14 Security Champions at Security Champion survey
11 questions, 7 yes/no + proposals/ideas 20 respondents CISOs project leaders developers testers architects

15 Security Champions expectations

16 Other selected expectations
Attend security conferences Define best practices Prioritize security-relevant stories in Backlog Monitor vulnerabilities in tools/libraries Write security tests for identified risks More outcomes:

17 So far it looks like that:
You’re alone with a million of security problems ????? Champions appear and solve them PROFIT!

18 Security Champions Playbook

19 Security Champions Playbook
Identify the teams Define the role Nominate champions Set up communication channels Build solid knowledge base Maintain interest

20 1. Identify the teams 1 product = 1 team? Technologies? Documentation?
Communication? Management? Current reviews? Release calendar?

21 1. Identify the teams (contd.)
Expected outcome after this step: Product Team Technologies Security contact Team lead Product manager BTS Comments Product1 Alpha Python, Django Vasya Pupkin Kleopatra Stepanovna HELO Usage of Bandit tool Beta

22 2. Define the role Measure current security state among the teams
Define goals you plan to achieve in mid-term Identify places where Champions could help Produce clearly defined roles for the Champions

23 2. Define the role (contd.)
Depending on current progress and strategy, roles descriptions could be: Verify security reviews Control best practices within the team Raise issues for risks in the existing code Build threat models for new features Conduct automated scans for the code Investigate bug bounty reports

24 3. Nominate Champions Not appoint!! Enthusiasm, remember? ;)

25 3. Nominate Champions (contd.)
Get approvals on all levels Because otherwise you’ll hear the worst argument ever I HAD NO TIME FOR SECURITY!!!

26 3. Nominate Champions (contd.)
Once nominated, make him feel like a Champion: entry to the security meta-team official introduction to the peers insignia ;)

27 4. Set up communication channels
Slack? IRC? Skype? Keybase? Yammer? Mailing lists?

28 5. Build solid knowledge base
Internal wiki as the main resource! Security meta-team with listed champs Clearly defined roles and procedures Secure development best practices Risks & vulnerabilities Checklists Web/mobile security checklist Third-party security checklist UI security checklist Privacy checklist

29 5. Build solid knowledge base (contd.)
Open source to the rescue! Security Knowledge Framework ASVS + MASVS CERT secure coding standards and many more…

30 6. Maintain interest Workshops & trainings Keep them motivated!
Strategy / best practices Security quizes Hacker Thursday "Month of bugs” Keep them motivated!

31 6. Maintain interest (contd.)

32 6. Maintain interest (contd.)
Monthly security newsletters Updates & plans Recognition for leaders Another source of communication Also serve as checkpoints for all

33 6. Maintain interest (contd.)
Security conference calendar Start here: Add local events… And participate in OWASP chapter meetings 

34 https://github.com/c0rdis/security-champions-playbook

35 Afterword The playbook will allow you to get sec reinforcements but THINK BIGGER! Once established properly, they will greatly help you in spreading security across the company and in achieving future sec goals … and the best is to see how they develop themselves!

36 Questions? @c0rdis

Download ppt "Security Champions Playbook"

Similar presentations

2 The Problem Floods are the most common and costly natural disaster in the United States and all communities are vulnerable Over a 30-year mortgage,

2 The Problem Floods are the most common and costly natural disaster in the United States and all communities are vulnerable Over a 30-year mortgage,
Gallup Q12 Definitions Notes to Managers

Gallup Q12 Definitions Notes to Managers
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Mobile Top Ten 2015 Data Synthesis and Key Trends Part of the OWASP Mobile Security Group Umbrella Project.

OWASP Mobile Top Ten 2015 Data Synthesis and Key Trends Part of the OWASP Mobile Security Group Umbrella Project.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
1 How to Recruit, Organize, and Retain Volunteers Breakout Session # 1&2, 4&5 Jack Bishop, CPCM, Mentor, Rio Grande Chapter How to Recruit, Organize, and.

1 How to Recruit, Organize, and Retain Volunteers Breakout Session # 1&2, 4&5 Jack Bishop, CPCM, Mentor, Rio Grande Chapter How to Recruit, Organize, and.
Introduction to Management

Introduction to Management
Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.

Software Testing and Maintenance 1 Code Review  Introduction  How to Conduct Code Review  Practical Tips  Tool Support  Summary.
Theories of Agile, Fails of Security Daniel Liber CyberArk.

Theories of Agile, Fails of Security Daniel Liber CyberArk.
Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.

Consultant Advance Research Team. Outline UNDERSTANDING M&E DATA NEEDS PEOPLE, PARTNERSHIP AND PLANNING 1.Organizational structures with HIV M&E functions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.
An Agile Requirements Approach 1. Step 1: Get Organized  Meet with your team and agree on the basic software processes you will employ.  Decide how.

An Agile Requirements Approach 1. Step 1: Get Organized  Meet with your team and agree on the basic software processes you will employ.  Decide how.
Welcome to AB140 Introduction to Management Unit 6 Seminar – Control Dr. Brenda Harper.

Welcome to AB140 Introduction to Management Unit 6 Seminar – Control Dr. Brenda Harper.
Cynthia Cherry Welcome to MT 140 Unit 6 - Control.

Cynthia Cherry Welcome to MT 140 Unit 6 - Control.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Community of Practice K Lead Project Team: الالتزامالتحفيز التفكير المؤسسي المرونةالتميزالشراكةالاستقامة.

Community of Practice K Lead Project Team: الالتزامالتحفيز التفكير المؤسسي المرونةالتميزالشراكةالاستقامة.
DRAFT VERSION OF THE LOCAL PILOT WORK STRATEGY (WP04) Presenter: Rafał Dadak Bistrampolis, 20 – 22 of June 2016.

DRAFT VERSION OF THE LOCAL PILOT WORK STRATEGY (WP04) Presenter: Rafał Dadak Bistrampolis, 20 – 22 of June 2016.
Engagement Reflection and Planning

Engagement Reflection and Planning
Facet5 The Power of Personality

Facet5 The Power of Personality

Similar presentations

Ads by Google