Security Operations Glossary
Security Champions - AppSec in Entwicklungsteams verankern
Security Champions are developers or engineers who serve as advocates for security within their teams. They act as a bridge between the security team and the development teams, promote secure coding practices, identify security risks early on, and help scale application security across the entire organization.
Security Champions solve a fundamental scaling problem: A single security team cannot oversee all development processes at the same time. Security Champions bring security expertise into every team—without requiring every developer to become a security expert.
The Scaling Problem
Typical situation without Security Champions:
Security team: 2–5 people
Development teams: 50–200 developers in 5–20 teams
Result:
→ Security team is a bottleneck
→ Code reviews take weeks
→ Developers bypass security processes (too slow)
→ Security is perceived as a “naysayer”
→ Vulnerabilities are discovered only shortly before release
With Security Champions (1 per team):
→ 10 teams × 1 champion = 10x multiplier effect
→ Initial security review conducted within the team itself
→ Security team handles complex issues, not basics
→ Security as part of team culture, not external oversight
→ "Shift Left": Vulnerabilities identified in the design phase instead of during penetration testingSetting up the Security Champion Program
Program Structure:
Phase 1: Selection and Recruitment
Ideal Security Champions:
→ Intrinsic interest in security (NO obligation!)
→ High standing within their own team (influencer effect)
→ Technical understanding (not exclusively coders)
→ Willingness to invest ~10–20% of time per week
Recruitment channels:
→ Internal announcement + voluntary sign-up
→ Nomination by team leads (but only volunteers!)
→ Identification based on previously demonstrated security affinity
→ Incentives: Training budget, conference tickets, certifications
Phase 2: Training (Foundation)
Month 1: In-depth study of the OWASP Top 10
→ Hands-on workshop (WebGoat, DVWA, Juice Shop)
→ "Break the App" exercises in a secure environment
→ Champions analyze exploits from an attacker’s perspective
Month 2: Secure coding for your own stack
→ Java: OWASP Java Cheat Sheet Series
→ Python: Bandit + secure Django/FastAPI patterns
→ JavaScript/TypeScript: OWASP Node.js Cheat Sheet
→ Infrastructure as Code: Checkov, tfsec
Month 3: Threat Modeling
→ Practical application of the STRIDE method
→ Analyze your own team’s architectures
→ Create a threat model for a real team project
Ongoing (monthly):
→ Security Champion Community of Practice (1 hour/month)
→ Discuss new CVEs that affect the team
→ CTF challenges for team building
→ External conferences (OWASP AppSec Days, BSides)
Phase 3: Team Tasks
Weekly:
□ Check code reviews for security issues
→ Interpret SAST tool results (Semgrep, SonarQube)
→ Separate false positives from genuine findings
□ Answer security questions within the team (first point of contact)
□ Monitor dependencies for new CVEs (Dependabot)
Project Kickoff:
□ Facilitate threat modeling for new features
□ Incorporate security requirements into user stories
□ Conduct architecture review with a security focus
Release:
□ Work through the pre-release security checklist
□ Document known risks in release notes
□ Coordinate with the central security team for penetration testing
Incident Response:
□ Initial security assessment during incidents
□ Root cause analysis at the security code level
Phase 4: Governance and Metrics
Metrics for the Champion Program:
→ Vulnerability Discovery Rate: More findings detected early?
→ Mean Time to Remediate Critical Vulnerabilities: Declining?
→ Security Debt: Tech debt due to security issues?
→ SAST Coverage: % of codebase with active scanning
→ Champion Retention: Do champions stay in the program?
Engagement Metrics:
→ Community meeting attendance
→ Posts in the security Slack channel
→ Submitted security improvementsTools and Resources for Champions
OWASP Resources (free):
OWASP Cheat Sheet Series:
→ cheatsheets.owasp.org
→ 100+ cheat sheets for specific security topics
→ SQL Injection Prevention, XSS Prevention, Authentication...
→ Champions: Bookmarks for frequently used sheets
OWASP Testing Guide (OTG):
→ Comprehensive methodology for security testing
→ Champions use it for review checklists
OWASP WebGoat / Juice Shop:
→ Deliberately insecure apps for practice
→ WebGoat: Java, interactive lessons
→ Juice Shop: Node.js, modern stack, CTF mode
SANS/OWASP SAMM (Software Assurance Maturity Model):
→ Maturity model for application security
→ Self-assessment: Where does the team stand today?
→ Roadmap: What to improve next?
---
Technical Tools for Champions:
SAST Interpretation:
Semgrep: Customizable rules, low FP rate
Horusec: Multi-language, container-native
CodeQL: GitHub-native, complex data flow analysis
Champion task: Calibrate rules, mark FPs as false positives
Dependency scanning:
Dependabot: GitHub-native, auto-PRs
Renovate: More control over update strategy
OWASP DC: Offline-capable, Java-focused
Champion task: Prioritize and push critical updates
Threat Modeling:
OWASP Threat Dragon: Diagram tool, free
Microsoft TMT: Windows tool, STRIDE-focused
Drawio + Templates: Flexible, team-collaborativeSuccessful Programs in Practice
Security Champion Programs at Large Enterprises:
Spotify Security Champions:
→ 100+ champions worldwide, 3,000+ developers
→ "Security Guild" structure (autonomy + alignment)
→ Champions write their own security guidelines for their teams
→ "Trust, but verify": Central security for spot checks + complex reviews
Mozilla Security Champions:
→ Volunteer program since 2013
→ Champions get early access to security information
→ Privileged access to the Mozilla security community
SAP Security Champions (DACH context):
→ Global program with regional hubs
→ Monthly training sessions (threat intel, new CVEs)
→ Internal CTF competitions
→ Champions are sponsored to attend external conferences
Lessons Learned:
✓ Volunteering is not optional—forced champions are not true champions
✓ Recognition > Money: Conference tickets, expert status, decision-making authority
✓ Community before training: Champions help each other
✓ Don’t overburden: 10–15% of time maximum; team goals remain the priority
✓ Executive support: Managers must allocate time for champion activities
✗ Mistake: Treating champions as the sole security officers
✗ Mistake: No budget for professional development
✗ Mistake: Champions without clear role expectations
