September 16, 2019
Wouter ‐ Security Specialist
One of our biggest challenges when my fellow Security colleague Wouter and I started our Agile Security Journey at WORTH, was enabling and scaling security processes into agile teams. The majority of our developers & QA engineers were very excited about security, but there was no platform for them to learn new skills or share knowledge. Therefore, the solution was simple: starting a Security Champions guild. In this article, the Security Team will take you on this journey.
What is a Security Guild?
Setting up an Agile Guild is one thing, but coming up with interesting topics for your guild sessions once you start a guild is another. As Security Guild Coordinators, we want to share a few workshops topics to keep everyone engaged.
As part of our Agile Security Journey, we determined that having Security Champions is a great initiative to improve the security posture within our development teams. We decided that anyone within an agile development team can take upon the Security Champion role. For example, a Developer or a Test Engineer is also a Security Champion. In each of our teams, there are one or two Security Champions that are part of the Security Champions guild.
Having a 'security-aware' team member within the team is not something new. The idea of 'Security Champions' comes from application security initiatives such as OWASP, and is adopted by major tech companies such as Linkedin, Adobe and Salesforce.
Why start a Security Champions guild?
A Security Champions guild is a great platform for engineers to develop new skills and share knowledge. Establishing a Security Champion role in development teams enables them to be more self-sufficient while maintaining and improving their security posture.
Security Champions can help overcome agile security challenges by:
- Threat thinking during development and security by design
- Implementing continuous and proactive security vs. ad-hoc and reactive security
- Implementing best practices; a standard set of security across all development teams
- Ensuring that security is a shared responsibility and taken into consideration in every sprint
We want our Security Champions to carry responsibility for performing security activities within their project. This will show their unique added value to the client and stakeholders.
How do you start a Security Champions program?
We looked up online resources and found out that the members of OWASP created the Security Champions Playbook which describes 6 steps to establish a security champion program, regardless of company size. We used the playbook as a reference for our approach. In a future blog we will talk about our lessons learned setting up the program.
Picking interesting topics for the workshops
How do we keep every Security Champion engaged during the guild session?
Our Security Champions guild consists of a mix between testers and developers, which means there are differences in technical skills and expertise. We needed to find interesting topics that would be learning beneficial and engaging for everyone. After some brainstorming, the Security Team decided upon the topic based on past observations and common security threats.
Our sessions are usually planned for two hours. In the first 30 minutes, the topic is highlighted including bad scenario examples. Then, we move onto the challenges part in which we engage the Security Champion to perform several hack assignments.
Here are three topics we discussed in the past. Hopefully this will inspire you!
1. Web hacking 101 - Injection attacks
In this workshop, we told the Champions about basic common web application injection attacks such as Cross-Site Scripting and SQL Injection. For the challenge we used bWAPP, a free and open source deliberately insecure web application. We also introduced our Champions to the web proxy tool Burp Suite, which can aid in performing web application injection attacks.
After the workshop, one of our Champions was surprised that SQL Injection is easily exploited using automated tools such as sqlmap.
Tip: Create challenges with different difficulties (easy, medium & hard). Hard challenges are made for the more security-savvy engineers that like a challenge.
2. Dangers of Open Source - Vulnerable package exploit
The majority of code within modern applications contains code programmed by the open-source community. Open source packages specifically within NPM and Github are great. Why reinvent the wheel when the functionality is already available and maintained?
However, how can you assure that a package does not contain any security vulnerabilities? In addition, are you certain that the package does not add more risk? If it's secure now, how do you know it will remain secure in the future? Dependency Management is a vital process within any development project, but this can be quite challenging. We will talk more about Dependency Management in a future blog post.
In this workshop, we want to teach the Security Champions what could go wrong when introducing an insecure dependency. We provided a Spring Application with a vulnerable dependency. The task for the Security Champion is to scan the application using dependency scan tools such as OWASP Dependency Check or Snyk. The scan report will indicate a critical vulnerability. The challenge for the Security Champion is to exploit this vulnerability in order to fully compromise the application and gain root access to the server.
3. New webshop features - An agile threat modeling scenario
WORTH performs Threat Modeling to identify and resolve risks and vulnerabilities during the design phase. Threat modeling is especially useful when it’s integrated into the Agile development process so that the team can review new features for potential threats and if needed, implement adequate security controls. Ideally, Agile Threat Modeling should be performed before starting a new sprint.
In this workshop we simulated a sprint planning scenario. The project was a webshop that sells Rubber Duckies. The Product Owner wanted new features, such as account registration incl. credit card payments. The challenge for the Security Champions was to brainstorm new threats & controls and present the risks to the product owner.
In the end, we had lots of fun brainstorming new threats while keeping everybody engaged. This workshop cultivates Threat Thinking, which feeds into security by design.
Christos - Security Champion: "I learned about concepts I was not aware of, and also learned how to use certain security tools. We are not really updating our threat model but I'm pretty sure the knowledge I got and applied during our sessions, will turn out to be helpful. The challenges format is good, a guided way to reach a good level of understanding."
Final tip: let your Champions decide!
The guild should be a living shared responsibility amongst guild members. We are slowly moving towards the next phase, where we assign guild members to be coordinators of the guild sessions. For now, we came up with the idea to give the Champions the opportunity to decide on the next topic using a poll.
Hopefully this post gave you some insights in our Security Champions program, and inspired you with some ideas for engaging guild sessions. Remember: a security guild should be a collaborative initiative. Learn together and apply the knowledge in your daily work. See you next time!