Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Q&A with Marisa Fagan on Security Championship

Q&A with Marisa Fagan on Security Championship

Leia em Português

According to security specialist Marisa Fagan, the ratio of security professionals to developers is at best in the range of 3:100. Such a constraint can logistically force security professionals into a position of high contention, where it is easy to become a bottleneck. These risks are made worse in environments where security feedback occurs at the end of the development cycle, at a point where the cost of rework is highest. To address this, Fagan recently spoke at QConLondon 2018 about elevating engineering team members interested in security into the role of security champions. She advocated for a formal program within organisations which intentionally creates a capacity to up-skill individuals and build bridges with organisational security teams.

Fagan, product security lead at Synopsis, gave a talk titled Security Champions: Only You Can Prevent File Forgery, proposing a strategy for dealing with this contention for security expertise. She proposed a transparent security championship program, focused on security engineers building bridges with individuals within teams, and supporting them in being up-skilled as deputised champions for security.

Fagan defined a security champion as a person who is an "advocate for stronger code and security processes within a team or organisation." Depending on the size of the organisation, this championship can be targeted at the team, a group of teams or even the organisation as a whole. Fagan explained that individuals could start championing security through practical means by:

  • Seeking additional security training.
  • Watching out for relevant CVEs.
  • Raising security bugs.
  • Evangelising about security.
  • Reaching out and building bridges with security teams.
  • Seeking opportunities to show and champion tools.
  • Integrating security feedback into CI/CD pipelines.

Fagan also recommended that champions should start to create threat models of their applications, which highlight risk and assist security teams in becoming more versed with a team's applications. Fagan recommended starting with OWASP's attack cheat sheet for application threat modelling. "Start with the common threats and pair this with a risk model, such as the DREAD scale." She also explained that by coming up with a measure of severity, this can help prioritise where effort is placed.

Fagan discussed the need for organisational buy-in so that the value of security championship, the time it consumes, and underlying risks are all transparent and measured. Going beyond individual championship, she talked about the ultimate endgame being one of organisations investing in company-wide security championship programs with dedicated program owners. Fagan talked of the need for companies to support 10-20% of a champion's time being invested in up-skilling in security competencies.

She advised organisations to start out with a pilot initiative which can evolve into a programme that is embedded in company culture and promoted through incentive schemes. Talking about the importance of bridge building and communicating with people, Fagan reminded the audience that "part of the process will require face-time." She went on to point out that championship is a relationship management role, involving trust-building with the business and existing security teams. She also explained that the program owner would need to work with security teams and champions, either directly or by creating a pyramid of champions with clear roles. Fagan advised targetting an upper bound of one security owner to 15 champions, potentially breaking this down further in "smaller pods of security specialists and champions."

Coming back to the problem of contention for a limited number of security specialists, Fagan ended by reminding the audience that "the security teams need your help. Accept the call and become a security champion."

InfoQ caught up with Fagan to talk about some of the themes of her talk.

InfoQ: Your talk emphasises the need for organisational buy-in. What approaches have you found effective in being able to highlight the value of improving security capability in this way?

Marisa Fagan: The ROI is quite high. In terms leadership will relate to, the cost of training and program management is offset by the improved capabilities of the team and the improved velocity to the business. Also, a security champions program may help deliver customer requirements. Achieving organisational buy-in is usually more of an issue of finding the right passionate person to drive it to them.

InfoQ: Do you have a good anecdote about a situation where you've seen a security championship program succeed?

Fagan: I've seen this program succeed many times, but never get due credit for fostering critical conversations between the security and development teams that have resulted in on-time releases instead of a security blocker post feature freeze.

InfoQ: What was your first experience with security championship?

Fagan: My first chance to build a Security Champions program was at Salesforce in 2015. We felt the pain of coverage gaps in a large company, and we heard about a training program at Adobe where employees were earning different colour belts for extra levels of security training. We created a new role that gave developers extra training and new skills in security testing. It was very well received.

InfoQ: Are there types of security championship better suited to less technical team members, such as those in UX and product management functions?

Fagan: Although this program is geared towards engineers, other roles should also feel like security is their responsibility. Keep current on the latest trends and news. Sometimes just asking a question at the right time can be incredibly helpful in bringing security front of mind.

Slides and a video recording of Fagan's talk will be made available on InfoQ over the coming months.

Rate this Article