Developer security champions are members of the development team that can translate application security into a language that the rest of the developers can understand. These champions embed application security knowledge where it’s needed most: with the dev team.
Earlier this week, I spoke with the members of Forrester’s Security & Risk Council about developer security champions programs. We discussed the key steps to building a successful program, a couple of council members shared their own experiences with creating developer security champions programs, and we engaged in a group exercise with breakout sessions (a technological and organizational ballet when you’re doing all this virtually). Midway through the discussion, I received a question: How, in the midst of budget cuts and staff reductions, can we sell the leadership on another security program?
More Urgent Than Ever
With the pandemic and accompanying recession still going strong, security teams face hiring freezes, are forced to make budget and staffing cuts, or are told to “do more with less.” Champions programs do not come for free: You must invest in management, training, incentives, and developer time. It’s easy to say that it’s “the wrong time” to add such a program, but instead, you should prioritize it. Why?
- Scale. If, like many organizations, you’re not hiring a lot of new security staff, you need to push security expertise to the rest of the organization. Developer security champions will address many of the dev team’s basic security questions and requirements, and your team will be able to focus on the trickier ones.
- Speed. Developer security champions are developers first and foremost. That means that they are working with the dev team from the beginning and applying their security expertise to design and development decisions early on. They will help the team avoid poor security decisions that take time to undo later and remediate security issues earlier in the process so that the development team doesn’t get caught in time-consuming security fire drills that delay release.
- Alignment. With many firms finding themselves in 100% remote mode for the first time, strong communication channels help resolve process gaps that were glossed over when everyone was in the office. Developer security champions help bridge the security/development gap, facilitate discussions, and increase the security team’s credibility.
Make It A Formal, Funded Program
In the midst of today’s challenges, resist the temptation to quietly start an informal, unfunded pilot program to “prove the concept.” Instead, push for visibility, formality, and budget. For developer security champions programs to be successful, you need buy-in from executives and development leaders. Some developers and dev managers may be reluctant to engage, so higher-level support will guide them in the right direction. Even if you start small, funding and formal approval will give your program credibility and help you grow it over time.
For more on developer security champions, check out my latest report: “Build A Developer Security Champions Program.”