SDL at Scale: Growing Security Champions

Conference:  BlackHat EU 2018



The presentation discusses strategies for promoting cybersecurity awareness and education within an organization, including lunch and learn sessions, conference summaries, and regular captured the flag sessions.
  • Lunch and learn sessions featuring presentations from the security research team
  • Conference summaries to share information from security conferences attended by various members of the organization
  • Regular captured the flag sessions to provide hands-on experience with cybersecurity challenges
  • Identifying and training security champions within the organization to promote cybersecurity awareness and education
The captured the flag sessions were particularly successful, with many developers becoming interested in cybersecurity challenges and learning about topics such as cross-site scripting and SQL injection. This provided an opportunity for developers to learn at their own pace and gain a better understanding of defense strategies.


If you're tasked with securing a portfolio of applications it's a practice in extremes. You've got a small team of security experts trying to help a multitude of developers, testers, and other engineers. You have to find a way to work with the team that's been around forever doing Waterfall on one huge product, and at the same time you have to support all the microservices that the new Agile and DevOps teams are building. And to make things extra exciting, those agile teams are pushing to production anywhere from once a month to several times a day. Even if your security team is fully staffed, there still aren't enough security experts to go around. Do you focus all your attention on the highly engaged team, the noisy and demanding team, or the team that never replies to your emails? They all need you. By partnering with your development organization to create a guild of Security Champions, you can help them all. Establishing a Security Champion role on your development teams enables them to be more self-sufficient while maintaining and even improving their security posture. With careful selection and well-defined goals, you can train Security Champions that go beyond just interfacing with the security team but also handle a range of security activities completely within their teams, helping you scale your program.This presentation will examine the value of the Security Champion role within the development team, which groups need to commit for the program to succeed, how to find good champions, and what benefits everyone involved can expect to gain. Based on lessons learned building a successful Security Champion program over the past 5 years, it will detail actionable steps you can take to bootstrap, monitor, and maintain a customized program that fosters these champions in your organization.