The goal of the AppSec community is to foster a collaborative environment among developers through coaching and mentoring.
At Security Journey, our programmatic learning approach includes advanced levels where learners complete activities within their organization and take on mentorship opportunities.
This article will review four activities for security champions to complete within their organization.
Progressive Learning Explained
Progressive Learning is an educational philosophy emphasizing the importance of learners working through content at their own pace and developing their abilities.
With Security Journey's AppSec Education Platform, you can choose from our programmed themes (Levels, Climbs, or Belts) or create your own theme for progressive learning.
Read More: Benefits of Progressive Learning
Let's review the five levels of our AppSec Progressive Learning:
Level 1 / Foundational
Learners gain foundational knowledge around core security concepts to ensure that everyone in the organization speaks the same security language and has the same core understanding of Application Security. Example Lesson: Core Security Concepts
Level 2 / Intermediate
Content dives deep into the how and why of application security while remaining language and technology agnostic. Example Lesson: Injection: SQL and Command
Level 3 / Advanced
Learners will select a particular learning path to learn the security content relevant to their role in the organization. Example Lesson: Secure Design Principles
Level 4 / Professional
Through research and leadership opportunities, learners will take the first steps to becoming security champions. These activities build the learner from being a security expert to becoming a security champion for their organization. Example: Apply newly learned knowledge inside the organization, i.e., evaluating security processes.
Level 5 / Expert
You can become a security mentor and leader in your organization, positively impacting the security culture and enhancing the organization's security posture. Example: Deliver security education sessions and liaise between security and development.
What is a Security Champion?
As your learner progresses through their training program, they will approach levels 4 and 5 and start participating in security activities; these are your organization's Security Champions.
A Security Champion is a member of the development team that is a proponent of security-minded development practices. They are not part of the security team but receive a badge of honor for taking on additional responsibilities to support the security team.
This person works as a liaison between both teams and will have an in-depth understanding of their priorities. This is the most effective way for the development team to ensure they support the security team's priorities.
4 Examples of Security Champion Activities
Here is a list of recommended security tasks a security champion can do to obtain their Level 4/ Professional completion:
Advocate For Security
Advocate for security within the organization by promoting the importance of security and encouraging other developers to prioritize security in their work.
An activity that could accomplish this is conducting security-oriented peer reviews.
Conduct Security Awareness Campaigns
Conduct security awareness campaigns to educate employees on the importance of security and how to avoid common security threats, such as phishing attacks or social engineering.
An activity to accomplish this could be hosting lunch and learns for your organizations.
Create a Threat Model
Conduct a threat model of an application or system to identify vulnerabilities and potential risks, then produce a list of possible mitigations.
The goal of threat modeling is to understand the risks before developing a system and help educate other developers on avoiding similar vulnerabilities in the future because there is no one-size-fits-all methodology for defining all threats.
- [Article] What is Threat Modeling? (Practical Guide + Threat Modeling Template)
- [Download] Threat Modeling Manifesto
Implement Security Scanning Tools
Implement security scanning tools, such as static code analysis or dynamic application security testing (DAST) tools, to identify vulnerabilities in applications and systems. The security champion can help set up and refine security scanning tools to minimize false positives and catch real vulnerabilities.
- [Article] SAST vs. DAST vs. IAST
Are You Active About Your AppSec?
At Security Journey, we know rolling out a training program can be daunting. Our AppSec Education Platform is entirely customizable for your needs or comes out of the box with nearly 700 lessons to create a multi-year, programmatic level-based approach.
Our level-based approach gives all learners the foundation of understanding to apply security concepts to their daily work. Three advanced learning paths offer developers in-depth security knowledge and the skills to build a solid security culture.