Dev and Sec Pros Believe in 'Security Champions' Programs
- By John K. Waters
With the rise of DevSecOps, "security champions" programs are gaining traction in the enterprise as tools with the potential to strengthen application security and improve relationships between security and DevOps teams. The results of a new survey suggest that a growing number of security and development professionals are convinced of the value of these programs.
The survey ("Security Champions: Empowering Heroes to Unite Security and DevOps") was conducted by ZeroNorth, a Boston-based provider of risk-based vulnerability orchestration across applications and infrastructure. It looked at the state of security champions programs, and found that 84% of respondents believed in their benefits.
Among the survey's findings: although the concept of security champions program is not a new one, 67% of these programs have existed for less than two years, and almost 40% have been in place less than one year. For organizations that have implemented a security champions program, 78% of respondents said the program has strengthened security skills and knowledge of developers, and 77% said it improved the company's overall AppSec posture.
ZeroNorth released the survey's findings this week at the OWASP Global AppSec Virtual event, underway through October 31. The Open Web Application Security Project (OWASP) defines a "security champion" as an active member of non-security teams who may help to make decisions about when to engage the security team. A security champion can help an organization make up for a lack of security coverage or skills by empowering a member of the development team to act as a force multiplier who can pass on security best practices, answer questions, and raise security awareness.
These programs are being implemented by organizations looking to create a culture of security across the development process, which is being disrupted in some ways by the advent of DevOps practices. In fact, according to a recent Ponemon Institute Research report, 71% of AppSec professionals believe security is undermined by developers who don't include proper security functionality early in the software development life cycle (SDLC).
"The challenge of securing applications against increasingly sophisticated attacks is larger than any single organization," said ZeroNorth CEO, John Worrall, in a statement. "The most successful approaches to creating a culture focused on security begin at the top, with CISOs and security leaders working to bridge internal divides and demonstrate that the security of applications is everyone's responsibility."
The survey also found that:
- Security champions have the power to improve AppSec, with 84% of respondents agreeing or strongly agreeing.
- "Passion" for security gives strength to a security champion, with 50% of respondents naming it the characteristic for a successful security champion.
- Security champions are a unifying force with 56% of respondents saying corporate security leadership was a top requirement for the success of security champion and 47% saying engineering leadership support.
- Corporate security teams are vital to the success of security champions programs, with 57% of respondents saying they should play a role in defining security priorities and 47% saying they should be involved in training best practices.
A copy of the full report can be downloaded here.
John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS. He can be reached at [email protected].