Main objective of this step is to come up with tangible goals, and to prepare clear role descriptions for future Security Champions. While measuring current security state in teams is partially done on the previous step, detailed description of building a global AppSec security strategy is rather beyond this playbook - please refer to existing frameworks such as OWASP SAMM, which provides a simple and straightforward way to achieve this.
Having your AppSec program and global goals defined, it's crucial to distinguish activities matching Security Champions the most, and map them onto these goals. Depending on the current state of security in your organization, that could include some or all of the below:
- conduct and/or verify security reviews in the team
- guard and promote best practices
- raise issues for risks in existing and new code
- build threat models for the new features
- conduct and/or verify automated scans
- investigate bug bounty reports
- participate in R&D activities
More expected activities are listed in the outcomes from Security Champions session from OWASP Summit 2017. Remember that activities could evolve over time, adjusting to the mid-term security strategy!
| << Previous page | Main page | Next page >> |
|---|