Main idea here: internal knowledge base should be the primary source of answers for security-related questions. Apart from the meta-team page, which allows anyone to quickly find the right contact, the following pages will prove themselves quite helpful:
- Global security strategy
- Clearly defined security roles and procedures
- Secure development best practices
- Recommended crypto algorithms
- Description of common risks & vulnerabilities
- Password policies
Special attention should be paid to simple and easy-to-follow checklists, as it's usually the simplest way to get the things going. Sample checklists might include the following:
- Web / mobile security checklists
- Third-party security checklist
- UI security checklist
- Privacy checklist
While it can be a tedious task to create everything from the scratch, there is a number of open-source projects, which can make your life much easier. OWASP projects such as Security Knowledge Framework, ASVS and MASVS as well as industry best practices (e.g. CERT secure coding standards) will be an excellent starting point to boost your KB and could become your basis for the first several internal workshops.
Besides having a solid knowledge base that works as reference material, a positive approach is to provide basic training for leveling Sec Ch who had little to no previous exposure to security. By providing the necessary guidance and resources we can speed up the learning curve and make sure Champions are ready to take ownership of more complex scenarios.
The topics to be discussed should be cherrypicked according to the definition of the role. Some core topics that are generally useful:
- Security Champions Program 101
- Secure Coding Good Practices
- Common Vulnerabilities Classes
- Offensive Security Assessments
- Threat Modeling
- Incident Response
- Internal policies and procedures
The training sessions should be short and provide pointers to a curated list of in-depth resources as well as illustrate each topic with real examples from the organization. Recording videos on exploring previous issues might complement the theory presented.
Along with training that provides technical knowledge, it is recommended to clarify and document internal processes where Sec Ch are expected to play significant roles. For instance, Vulnerability Management, Incident Handling, tools recommended (i.e. SAST, DAST, SCA, security plugins, etc), and On-call procedures.
Subjects that are only specific to a certain subset of the Sec Ch (i.e. platform-specific security practices) might be approached after the core topics have been covered. Champions should be fostered to proactively research and present topics that relate to their main areas of expertise. Example of platform-specific topics:
- Android/iOS security (mobile)
- Spring Boot Security (back-end)
- XSS vulnerabilities in Angular/React/Vue (front-end)
- Writing secure IAM policies (infra/cloud)
A strong training program might include the following components:
- Reference Materials from the knowledge base
- Live sessions
- Hands-on practice
- Performance Assessments
Live sessions are useful not only for keeping a clearly defined progress timeline but also to schedule a periodic time for Sec Ch to meet and share experiences, fostering the sense of community and improving the engagement levels.
Hands-on practice should consist of in-house or externally developed labs where participants can work by themselves in scenarios similar to the ones they are expected to face.
Performance assessments are the instruments by which the training program success can be measured. By establishing minimum success criteria in each topic covered, one can consider the champions have received enough inputs to develop their activities accordingly.
To assure Sec Ch have enough exposure to the topics they are expected to be involved with, the program can be split into multiple levels of competency. For example:
- Level 0: completed all mandatory company-wide security awareness training
- Level 1: completed all core topic training
- Level 2: completed all platform-specific training
- Level 3: over 6 months of active experience as a champion / met established KPIs
By assigning responsibilities according to different levels of maturity, one can increase accuracy and a sense of engagement. Besides, it provides a clearer vision of the maturity status of the program itself.
| << Previous page | Main page | Next page >> |
|---|