Developer security champions are members of the development team that can translate application security into a language that the rest of the developers can understand. Here are some tips on how you can build a case for a developer security champion program.
Developer security champions are members of the development team that can translate application security into a language that the rest of the developers can understand. These champions embed application security knowledge where it’s needed most: with the dev team.
Earlier this week, I spoke with the members of Forrester’s Security & Risk Council about developer security champions programs. We discussed the key steps to building a successful program, a couple of council members shared their own experiences with creating developer security champions programs, and we engaged in a group exercise with breakout sessions (a technological and organizational ballet when you’re doing all this virtually). Midway through the discussion, I received a question: How, in the midst of budget cuts and staff reductions, can we sell the leadership on another security program?
With the pandemic and accompanying recession still going strong, security teams face hiring freezes, are forced to make budget and staffing cuts, or are told to “do more with less.” Champions programs do not come for free: You must invest in management, training, incentives, and developer time. It’s easy to say that it’s “the wrong time” to add such a program, but instead, you should prioritize it. Why?
In the midst of today’s challenges, resist the temptation to quietly start an informal, unfunded pilot program to “prove the concept.” Instead, push for visibility, formality, and budget. For developer security champions programs to be successful, you need buy-in from executives and development leaders. Some developers and dev managers may be reluctant to engage, so higher-level support will guide them in the right direction. Even if you start small, funding and formal approval will give your program credibility and help you grow it over time.
This post was written by Principal Analyst Sandy Carielli and it originally appeared here.