How Do Security Champions Enable a DevOps Culture?

DevOps as a whole is a state of mind for organizations. It helps them to deliver applications and services by espousing a culture and best-practice methodology that drive product development and service provision.

Champion roles are important in IT circles, especially where product knowledge or specific framework knowledge is required. But how do security champions fit into the more traditional DevOps space? Quite well, as it turns out.

Security champions are an important backup mechanism. They help to keep the wheels turning in a project, and by taking leadership-type roles and decisions within smaller dev teams, security champions create a buffer for the team leader and can give them the freedom that they need to drive the project forward while reinforcing security best practices in the project.  

Defining Teams

First things first: identify who you are working with and who is going to be performing which tasks. This sounds obvious, but it needs to be done as early as possible during the course of your DevOps champion project. The main purpose of this exercise is to distribute the implementation of security practices. Documenting these teams is also important so that the rest of the development departments all know who is responsible for which tasks.

In order to do this, it is generally a good idea to speak with the technical managers and decision-makers (such as product owners and company heads) and find some answers to key questions. Find out how many people are working on the different projects that are being undertaken and how they fit into the dev teams that are currently working on the project. Find out what programming languages and frameworks are being used, as well as the current status of their implementation.

Security Champion Role Distinction

Each team should have its own security champion designated (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/OFeQvuTEyDQ/