This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Security Champions Playbook"

From OWASP
Jump to: navigation, search
(added diagram)
(fixed link)
 
Line 1: Line 1:
 
= Intro =
 
= Intro =
Security Champions Playbook is a project started in preparation for the presentation [https://www.owasp.org/index.php/OWASP_Bucharest_AppSec_Conference_2017 "Security Champions 2.0"] at OWASP Bucharest AppSec Conference 2017. It describes the main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes.
+
Security Champions Playbook is a project started in preparation for the presentation [https://www.owasp.org/images/3/3c/OWASP_Bucharest_2017_Antukh.pdf "Security Champions 2.0"] at OWASP Bucharest AppSec Conference 2017. It describes the main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes.
  
  

Latest revision as of 18:49, 23 October 2017

Intro

Security Champions Playbook is a project started in preparation for the presentation "Security Champions 2.0" at OWASP Bucharest AppSec Conference 2017. It describes the main steps for fast establishment of a Security Champions program regardless of the company size and maturity of the existing security processes.


Who are the Security Champions?

According to OWASP definition, Security Champions are "active members of a team that may help to make decisions about when to engage the Security Team". They act as a core element of security assurance process within the product or service, and hold the role of the Single Point of Contact (SPOC) within the team.

More information about the Champions: https://www.owasp.org/index.php/Security_Champions


What benefits do Champions bring to my company?

Main advantages of having a team of Security Champions:

  • Scaling security through multiple teams
  • Engaging "non-security" folks
  • Establishing the security culture

Security Champions Playbook

To keep it simple, I've listed six easy-to-follow steps with clarifications for each step. Chapters include general recommendations, links to known good sources as well as personal experience. I will be happy to hear your feedback and update the playbook. Current version:

1. Identify teams

2. Define the role

3. Nominate Champions

4. Set up communication channels

5. Build solid knowledge base

6. Maintain interest

Simplified diagram

Security Champions Playbook.png