The first step in starting your own Security Champions program is to map the scale of the problem
existing teams you will be working with. Since we're aiming to achieve better coverage and spread
of security, it's extremely important to write it down and keep in publicly known and accessible
place. Rounds of 1-on-1 interviews with product owners and engineering leads would be a good start
for this activity.
Typical questions you want to ask:
- how many teams are working per product
- which technologies (programming languages, frameworks) they use
- where are the code and documentation stored
- what automated tools and external/internal services are used for development and testing
- what is currently the process of code review (including security code review) and who is involved
- are there any other security-related activities for the product, apart from code reviews
- what is the release calendar / cycle / current stage of the product
- what are the most commonly used communication channels for the product
- how does one typically report a security issue / bug for the product, and who's taking care of it
The outcome of this exercise should be a page on internal wiki with table e.g. as follows:
| Product | Team | Technologies | Security contact (if any) | Team lead | Product manager | BTS | Comments |
|---|---|---|---|---|---|---|---|
| Product1 | Alpha | Python, Django | John Smith | John Smith | Anna Nowak | HELO | Usage of Bandit tool |
| Main page | Next page >> |
|---|