Security Champion responsibilities
 
            The security champion should focus on the emergent design of the epic or feature that the team is building. This list breaks down the topics of emergent design and the security champion's integration tasks for the team's sprint workflow:
1. Help to install and maintain the security tools in the build chain
- Provide local tool-agents for developers to run in-machine
- Integrate with designated orchestration service (e.g. Jenkins/Bamboo/Azure DevOps/Gitlab/Github)
- (Optional) integrate with Github Pull-Requests
2. Pre-sprint, [Requirements Envisioning]
- Review business-requirements/feature-sets/user-stories to find and prioritize security requirements.
3. Pre-sprint, [Prioritized Requirements]
- Triage the security backlog (which comes from Requirements Envisioning)
- Add items to sprint work by priority
4. Pre-sprint (and sprint Zero), [Architecture Envisioning]
- Create high-level threat models with security SME and team
- Capture the significant architectural threats of the business-requirements/epics/feature-sets/user-stories
- Use relevant security patterns (from a pattern library) for mitigations
5. Pre-sprint, [Active Stakeholder Participation]
- Communicate threat model threats and proposed security controls to the key stakeholders via:-
- dashboards
- reports
- (potentially) meetings
6. Pre-sprint, [Single Source of Information]
- Ensure that the threat model information is located in the same space as the reference context or process diagram
- Record the security metadata as few times as possible to increase consistency and reduce maintenance in the data
- The project space should be considered the single source of security information
7. Pre-sprint, [Just Barely Good Enough]
- Keep the team focused on providing just the necessary security patterns for the current defined work, and not more
- The team should only add relevant patterns that pertain to the epic/feature/story that the team is working on
8. In-sprint, [Model Storming]
- Update the epic/feature threat model with any new information or threats during the team standup
- Enforce a timebox around this activity to ensure it is focused
9. In-sprint, [Test-Driven Design]
- Have the team build security tests for each threat and mitigation in the team threat model
- Run security tests to validate security patterns and to improve those patterns if they need changing
10. In-sprint, [Executable Specifications]
- Make sure security verification tests are built into the sprint
- These tests may be to validate the threat model threats and mitigations
- to confirm security patterns
- to verify if security controls are correctly put into the code
11. In-sprint, [Iteration Modeling]
- Work on the threat model of the specific user story/feature/epic combination with the team as part of the early sprint activities
12. In-sprint, [Look-Ahead Modeling]
- Focus the team on modelling just the complicated business requirements of the coming sprint, so the team doesn't have to wait for any stakeholders to agree.
13. In-sprint, [Document Continuously]
- Be sure that the threat model is constantly reviewed and updated
- Continuously check that the security patterns are properly implemented and are providing good security coverage (via security testing)
14. In-sprint, [Document Late]
- Only add specific threat model elements when a particular business requirement or user story is defined and needed
- Update the threat model and security pattern information as soon as the project design gets updated
- Write full "official" threat model reports as late as possible and rely upon the work-in-progress information during the sprints
15. In-sprint, [Multiple Models]
- Be prepared to create some explicitly derived threat models to explore
- Threat actors
- Attack scenarios
- Different architectural security strategies
- Different architectural security patterns
Of course, Tutamantic can help by automating much of the tedious threat model work, making it more consistent and repeatable, and getting it fully integrated into your team's workflow. Contact support01@tutamantic.com for more information on the Tutamen SaaS product.
