Security Champion
The Security Champion is the owner of the security program. That will likely come with the following responsibilities:
- Management of security related process and policies
- Management of security training
- Represent security program to external and internal stakeholders
- Lead the tool selection process
- Business contact for security tools
Security Expert
Security Experts are typically engaged primarily in defensive activities or in offensive activities. Defensively focused experts should be part of your organization because their work tends to be on-going. Offensively focused experts can be more effectively sourced externally since their work tends to be episodic and they often have quite specialized skills.
Mature security programs will typically use both internal and external experts. In some cases an internal Security Expert may be part of a specific product development team. In other cases the expert might be part of a consultative team support multiple products.
Defensive Security Expert
Your defensive security experts will be involved in the following types of activities:
- Consulting on implementation of the program itself
- Monitoring external security issue feeds
- Training & Mentoring
- Consulting on implementation of security related product capabilities
- Participation in Threat Modeling
- Threat evaluation in the context of specific software components – trying to answer the “how serious is this threat?” question. Note: The security expert may play an important role in managing the cost of a program by providing mitigating explanations.
- Security Incident Consulting
Offensive Security Expert
Offensively oriented Security Experts are most likely involved in:
- Penetration testing
- Vulnerability Assessment
Software Designer
In some organizations this role may be a dedicated one with a suggestive title such as “Architect.” In other organizations it just identifies one of the hats that a software developer wears. This is an important role for security because truly effective Application Security needs to be designed in from the start. From a security perspective, you will be looking for the following:
- Ensuring “security best practices” are followed
- Identification of technical solutions to security requirements such as effective logging.
- Participation in Threat Modeling
Developer
Historically, the majority of exploitable software vulnerabilities are the result of coding errors. Your developers are the first line of defense against these vulnerabilities. Developers are also the primary audience for most security tools since these tools are typically reporting concerns that need to be addressed by the implementation.
Test Engineer
The software test engineer is responsible for evaluating the implementation of security related features. The Test Engineer may play a role in running security tools and interpreting tool output. We also want the Test Engineer to help identify vulnerabilities; for example spotting information in a log file or an error banner that is overly revealing. Some organizations may look to develop penetration testing skills in Test Engineers.
DevOps Engineer
The DevOps engineer is responsible integrating security tools into the development pipeline. The DevOps engineer is also likely to be responsible for other aspects of tool use such as installation and upgrade, trouble shooting, etc.
Deployment Engineer
The Deployment Engineer manages the production instances when a software component is released “as a service.” The Deployment Engineer will be validating that the service continues to meet security requirements such as “clean security scans.” The Deployment Engineer will plan a central role in the response to any security incident.
Product Manager
The Product Manager is responsible for managing the investment in a product. From an Application Security perspective, we are looking for the Product Manager to make trade-offs between security and all of the other product needs. The Product Manager will need to have a high-level understanding of the nature of different threats and of vulnerability scoring. The Product Manager will also need to have a good understanding of the security related processes and policies.