In episode 77 of the We Hack Purple Podcast host Tanya Janca chats with Brendan Sheairs about her latest obsession; security champions! Brendan has significantly more experience in this area than anyone Tanya has met, so they dug in deep on this topic. We covered a lot in this episode, including;
• What the heck are security champions? Why would someone want them?
• You need building blocks
◦ Must haves: goals! Who will run it! What problem are they solving?
• What is the business goal? Or objective? You need a justification to do this!
• Getting buy in to be allowed to build a program
• Having fewer bugs in production
• Moral? Are they happier? Are they missing less work?
• Biggest challenge, time commitment for champions, and then no one is allowed to work on it
• You need top down buy in, but then the work happens bottom up
• 10% for champions, what does this mean? What can it look like?
• Conflicts of interest or alignment with other important things like deadline and bonuses
• Motivations: Career advancement and financial
• Things we can do to motivate champions
• What does a good program look like?
• If someone leading the program? Someone needs to be responsible for the program, or it will, for sure, fall apart
Want More Brendan? Here you go!
Very special thanks to our sponsor!
Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.
Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers additional community created ruleset! Check out Semgrep Code HERE (https://semgrep.dev/products/semgrep-code/).
Join We Hack Purple!