In the Security Champion Program Success Guide blog, I invite industry professionals to offer their opinions, thoughts, experiences, and viewpoints about Security Champion programs in order to expand our collective knowledge and encourage healthy conversation. In this post, Dipen Shah shares practical advice from his position as a “boots on the ground” AppSec Engineer for how to utilize champions to assist with vulnerability management. Enjoy! — Dustin Lehr
Archimedes once said, “Give me a firm place to stand and a lever and I can move the Earth.”
The idea of a lever and its ability to multiply force has been used in various aspects of our life today like finance, tech, and much more.
Security champions of an organisation act as levers to multiply the force of your security efforts. Let’s focus on how we can leverage champions for respective organisations’ vulnerability management and remediation efforts.
There are few prerequisites before you begin. First, you must know about your organisation’s software assets and sources of vulnerabilities. The idea is to centralise all the vulnerabilities from these sources and tie them to the software assets (microservices, apps, and other services), the asset owners, and the champions for the respective teams.
In tabular format, it would look something like the below table.
- SAST = Static Application Security Testing
- Infra = Container scans/ VM scans/ EC2 scans
- DAST = Dynamic Application Security Testing
- SCA = Source Composition Analysis
| Software asset (services) | Owning Team | Engineering Manager | Vulnerabilities from SAST, Infra, DAST, SCA, etc. | Security Champions |
|---|---|---|---|---|
| Front end | Web | Bob | SAST – 40, Infra – 30, DAST – 20, SCA – 10 | Alice |
| Back to front end | BFF | Yen | SAST – 20, Infra – 50, DAST – 20, SCA – 12 | Sally |
| Identity | Identity | Anita | SAST – 15, Infra – 14, DAST – 10, SCA – 30 | Satish |
| Order management | Order | Brenda | SAST – 50, Infra – 100, DAST – 5, SCA – 5 | John |
Once the mapping is established, let the champions and engineering managers of the respective teams see the vulnerabilities that their teams own. The idea is to create transparency, which will help the respective teams realise their own security posture and how they can drive their remediation efforts. Centralising security vulnerabilities from different sources can also help reduce tool fatigue for both security teams and security champions.
Vulnerability management is a continuous process. Let Champions understand the security posture and the top problem areas for their services by understanding the output of different security tools. Then, work with the Champion to mitigate the problem area and run a security campaign across different teams so that the problem area is not repeated across the organisation. Focus on eliminating vulnerabilities by class with the help of Champions.
For example, SAST scanners may consistently highlight server side request forgery (SSRF) issues across different services. In this case, security engineers should focus on consistent problem areas, such as SSRF, and work with Champions to eliminate these vulnerabilities by class.
Security campaigns playbook to eliminate vulnerabilities by class:
- Target a specific vulnerability category.
- Find instances of the vulnerability across the organisation using your centralised vulnerability management system.
- Create awareness among the champions. Explain about the vulnerability category, security controls, and remediation effort.
- Embed the safe pattern and make it the default.
- Work with engineering teams and developers to ensure existing vulnerabilities are resolved. Create a Jira story for each engineering team.
- Work with Champions to implement controls to ensure no net new vulnerabilities are introduced. Create a Jira story for each Champion.
- Work with Champions to build test cases to avoid re-introduction of the vulnerabilities.
- Set up alerts, scan at Pull Request (PR) level and at staging level to ensure these vulnerabilities are not pushed to production. Notify teams via Slack, Jira, Email, whatever notification mechanism works for your organisation.
- Repeat with the next vulnerability category.
The idea is to divide the workload across both the engineering team members and champions. Ensure security champions are not overwhelmed with all the threat modelling and vulnerability remediation efforts. The goal of the champions will always be to ensure no net new vulnerabilities or risks are introduced. The goal of the engineering manager and the rest of the team is to remediate existing vulnerabilities or risks.
Want to share your own viewpoint or case study about security champions? Contact me on LinkedIn and let’s chat! — Dustin Lehr
