Which of the following is the best initiative that contributes to threat modeling the most?
A. Social engineering
C. Security champions
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Security champions.
“Security champion” plays an important role mentioned in SAMM. Security champions who contribute to threat modeling and organizational security culture should be well trained. Gamification is a strategy or a set of techniques to engage people that can be applied in various settings, of course, in education and training.
“Security Champions are the active members of a team. This team makes decisions regarding when a security team should be engaged and what security bugs are present in the applications.” (OWASP)
Activity Streams of SAMM Practices
- Training and Awareness: Training and awareness focuses on increasing the overall knowledge around software security among the different stakeholders within the organization. Activities include 1) Train all stakeholders for awareness, 2) Customize security training, and 3) Standardize security guidance.
- Organization and Culture: Organization and culture focuses on promoting the culture of application security within the organization as an important success factor of an SDLC project. Activities include 1) Identify security champions, 2) Implement centers of excellence, and 3) Establish a security community.
- Application Risk Profile: An application risk profile helps to identify which applications can pose a serious threat to the organization if they were attacked or breached. Activities include 1) Perform application risk assessments, 2) Inventorize risk profiles, and 3) Periodic review of risk profiles.
- Threat Modeling: Threat modeling is intended to help software development teams understand what risks exist in what is being built, what could go wrong, and how we the risks can be mitigated or remediated. Activities include 1) Perform basic threat modeling, 2) Standardize and scale threat modeling, and 3) Optimize threat modeling.
Identify security champions
Benefit: Basic embedding of security in the development organization
Implement a program where each software development team has a member considered a “Security Champion” who is the liaison between Information Security and developers. Depending on the size and structure of the team the “Security Champion” may be a software developer, tester, or a product manager.
The “Security Champion” has a set number of hours per week for Information Security related activities. They participate in periodic briefings to increase awareness and expertise in different security disciplines. “Security Champions” have additional training to help develop these roles as Software Security subject-matter experts. You may need to customize the way you create and support “Security Champions” for cultural reasons.
The goals of the position are to increase effectiveness and efficiency of application security and compliance and to strengthen the relationship between various teams and Information Security. To achieve these objectives, “Security Champions” assist with researching, verifying, and prioritizing security and compliance related software defects. They are involved in all Risk Assessments, Threat Assessments, and Architectural
Reviews to help identify opportunities to remediate security defects by making the architecture of the application more resilient and reducing the attack threat surface.
In addition to assisting Information Security, “Security Champions” provide periodic reviews of all security related issues for the project team so everyone is aware of the problems and any current and future remediation efforts. These reviews are leveraged to help brainstorm solutions to more complex problems by engaging the entire development team.
Customize security training
Benefit: Relevant employee roles trained according to their specific role
Security Champions train on security topics from various phases of the SDLC. They receive the same training as developers and testers, but also understand threat modeling and secure design, as well as security tools and technologies that can be integrated into the build environment.
Perform basic threat modeling
Benefit: Identification of architectural design flaws in your applications
Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations. It is typically done as part of the design phase or as part of a security assessment.
Threat modeling is a team exercise, including product owners, architects, security champions, and security testers. At this maturity level, expose teams and stakeholders to threat modeling to increase security awareness and to create a shared vision on the security of the system.
Standardize and scale threat modeling
Benefit: Clear expectations of the quality of threat modeling activities
Use a standardized threat modeling methodology for your organization and align this on your application risk levels. Think about ways to support the scaling of threat modeling throughout the organization.
Train your architects, security champions, and other stakeholders on how to do practical threat modeling. Threat modeling requires understanding, clear playbooks and templates, organization-specific examples, and experience, which is hard to automate.
Your threat modeling methodology includes at least diagramming, threat identification, design flaw mitigations, and how to validate your threat model artifacts. Your threat model diagram allows a detailed understanding of the environment and the mechanics of the application. You discover threats to your application with checklists, such as STRIDE or more organization-specific threats. For identified design flaws (ranked according to risk for your organization), you add mitigating controls to support stakeholders in dealing with particular threats. Define what triggers updating a threat model, for example, a technology change or deployment of an application in a new environment.
Feed the output of threat modeling to the defect management process for adequate follow-up. Capture the threat modeling artifacts with tools that are used by your application teams.
Gamification is the application of game-design elements and game principles in non-game contexts. It can also be defined as a set of activities and processes to solve problems by using or applying the characteristics of game elements. Gamification commonly employs game design elements to improve user engagement, organizational productivity, flow, learning, crowdsourcing, knowledge retention, employee recruitment and evaluation, ease of use, usefulness of systems, physical exercise, traffic violations, voter apathy, and more.
- Early gamification strategies use rewards for players who accomplish desired tasks or competition to engage players. Types of rewards include points, achievement badges or levels, the filling of a progress bar, or providing the user with virtual currency.
- Another approach to gamification is to make existing tasks feel more like games. Some techniques used in this approach include adding meaningful choice, onboarding with a tutorial, increasing challenge, and adding narrative.
- Security Champions 2.0 (OWASP)
- 2020 Security Champions Summit
- Who are the Security Champions?
- How to Build a Network of Security Champions Within Your Organization
- Gamification (Wikipedia)
- Gamification for IT Security Training and Awareness Programs
- How gamification can boost your cybersecurity training
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.