The OWASP Security Champions Playbook is a project that was initiated for the purpose of gearing up the OWASP Open Web Application Security Project ― namely Security Champions 2.0 . This project was started at the OWASP Bucharest AppSec Conference 2017.
The Security Champions Playbook details the main steps required to establish a Security Champions Program for every type of organization, regardless of their size and maturity level.
What is the Role of a Security Champion?Per OWASP’s definition: “Security Champions are the active members of a team. This team makes decisions regarding when a security team should be engaged and what security bugs are present in the applications.” The following graph illustrates the further roles and obligations of Security Champions.
( Source )
In addition to the abovementioned roles, Security Champions help define security best practices, write security tests for identified risks, monitor vulnerabilities in tools and libraries, prioritize security-related stories in Backlog and attend security conferences.
What Are the Benefits of Having Security Champions Teams?Security Champions teams have numerous advantages. However, the primary ones are listed below:
They help establish a security culture They engage non-security people in thinking about security They scale security through the use of multiple teams What Are the Topics in the Security Champions Playbook?Security Champions Playbook consists of six chapters, which are listed below:
1: Identify Teams
2: Define the Role
3: Nominate Champions
4: Set up Communication Channels
5: Build Solid Knowledge Base
6: Maintain Interest
The following sections take a deep dive into the detailed description of each chapter mentioned above.
1. Identify TeamsWhen you want to start your own Security Champion Program, the first step is to map your existing security teams. You need to conduct one-on-one interviews with engineering leads and product owners to achieve better coverage and spread of security. During the interview, you should ask the following questions:
How many teams are working on one product? What programming language or other technologies do they use for this product? Where is the storage location and documentation for this product? What internal/external services and automated tools are utilized for the development and testing of this product? What is the code review process and are there any other security-related activities? When is the product released (calendar date)? What communication channels are most commonly employed for this product? How and to whom will any bugs found in the product be reported?After the interview, you need to conclude all this exercise in a tabular form. Here is a sample version of the table below:
Products Team Technology (s) Security Contact Team leader Product Manager BTS Any Comments Product0 Alpha Django, python Johnson Johnson John Smith HELO Utilization of Bandit tool 2. Define the RoleDefining the role of security champions is indispensable. It is also essential to measure the current security state in teams, which has been done partially in the previous step. This playbook doesn’t provide a detailed description for building a global AppSec security strategy. Instead, it recommends studying additional existing frameworks, such as Open SAMM. Open SAMM or Open Software Assurance Maturity Model (SAMM) help enterprises to formulate and implement a security strategy for software. You can find more information about Open SAMM here .
Once you have clearly defined your goals for your AppSec program, the next step is to define the appropriate roles for your Security Champions. The following activities are crucial in this regard:
Conducting or/and verifying security reviews in the team Conducting or/and verifying automated scans Promoting and guarding best practices. Best practices regarding the software security are crucial. These practices incorporate patching the software, training and educating users, automating routine tasks, enforcing least privilege, creating a robust Incident Response plan, documenting security policies, segmenting the network and integrating the security into the Software Development Life Cycle (SDLC) Raising issues for risks in new and existing code. A source code can have several flaws that can lead to big nightmares after its deployment. For example, following lack of standards may result in the lengthy code that can further create ambiguities and performance issues Building threat models for new features. This is crucial because it is a fundamental approach for identifying security weaknesses in software programs during the design phase in SDLC Investigating bug bounty reports. This can help in reducing the bugs and improving the performance of the software application Participating in R & D activities. This involves the innovation, introduction and improvement of the software program. Participating in R&D activities is vital to produce a quality productIn addition, numerous other activities were recognized at the OWASP Summit in 2017. Here is a link where you can find these supplemental activities.
3. Nominate ChampionsAfter defining the roles, you need to nominate the Security Champions themselves. For this purpose, you need to use a top-down approach. This approach requires approval from the management at all levels, such as from the C-Suite management to the product owners down to direct team managers. It is also recommended that you prepare a presentation about the defined roles, explaining how these roles can be beneficial for the security team and how much time is required for security operations (20% is recommended in the playbook).
Once you get top-down approval, the next step is to identify your Security Champions through mini-interviews. It is important to remember that at this point, you are still in the nominating stage rather than an appointing stage. Make the potential Security Champions aware of the benefits of the role. The playbook describes the following benefits:
W