How Security Champions Can Build an Alliance With Developers

Introduction

Although the term Security Champion is still relatively new, it has already become a mainstay within security and development circles, with a definition that has begun to evolve. Security Champions are key personnel who are responsible for tracking security issues with application and product development teams as well as security teams.

It is important to note that Security Champions are not usually responsible for implementing these security recommendations but are seen as one of the main drivers of the implementation due to their proximity to the development teams and the security teams. This means that when a difficult call needs to be made that relates to the application’s security posture, it’s on the Security Champion to push for its implementation. This can sometimes set Security Champions at odds with the rest of the development team, especially when major changes must be made to accommodate security concerns.

Fortunately, this doesn’t need to be the case. It is entirely possible for development teams, security teams and security champions to work together to achieve the goal of creating secure applications that don’t compromise on quality, features and release frequency.

Developer Issues

If you have ever worked in a software development environment, then you probably know about the stress and anxiety that developers experience on a daily basis. Developers need to create fully-functional applications in record times, battling product owners and team leads that set seemingly unreachable goals day after day.

Developing commercial applications is difficult even without factoring in additional security features, let alone rewriting entire sections of code to accommodate concerns from the security team. Tidying up code to eliminate a seemingly small security vulnerability can stall the progress on an entire project and delay a product’s release or an update cycle, which makes everybody unhappy.

The seemingly contradictory goals of (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Graeme Messina. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/kPwI_exKPY0/