An Overview of the OWASP Security Champions Playbook

The OWASP Security Champions Playbook is a project that was initiated for the purpose of gearing up the OWASP Open Web Application Security Project — namely Security Champions 2.0. This project was started at the OWASP Bucharest AppSec Conference 2017.


The Security Champions Playbook details the main steps required to establish a Security Champions Program for every type of organization, regardless of their size and maturity level.

What is the Role of a Security Champion?

Per OWASP’s definition: “Security Champions are the active members of a team. This team makes decisions regarding when a security team should be engaged and what security bugs are present in the applications.” The following graph illustrates the further roles and obligations of Security Champions.


In addition to the abovementioned roles, Security Champions help define security best practices, write security tests for identified risks, monitor vulnerabilities in tools and libraries, prioritize security-related stories in Backlog and attend security conferences.

What Are the Benefits of Having Security Champions Teams?

Security Champions teams have numerous advantages. However, the primary ones are listed below:

  • They help establish a security culture
  • They engage non-security people in thinking about security
  • They scale security through the use of multiple teams

What Are the Topics in the Security Champions Playbook?

Security Champions Playbook consists of six chapters, which are listed below:

1: Identify Teams

2: Define the Role

3: Nominate Champions

4: Set up Communication Channels

5: Build Solid Knowledge Base

6: Maintain Interest

The following sections take a deep dive into the detailed description of each chapter mentioned above.

1. Identify Teams

When you want to start your own Security Champion Program, the first step is to map your existing security teams. You need to conduct one-on-one interviews with engineering leads and product owners to (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Fakhar Imam. Read the original post at: