Frequently Asked Questions β¶
Do I have to be a security expert to be a Security Champion?¶
Absolutely not! This is a initiative for people to learn more about security and generate a network for people to share experiences and competence.
Who can become a Security Champion?¶
Everyone who considers themselves part of a development team can become a Security Champion. If you are a developer, ux-designer, tester, citizen developer or anything in-between, you are welcome to join. There is no requirement to be an Equinor employee to join, we invite consultants as well!
Does being a Security Champion result in a lot of extra work?¶
It depends on what you want to do. It can be everything from just informing the team about security related issues/questions you hear about in the network, to facilitating regular threat modelling sessions, or implementing Snyk in your pipelines, and a ton of other activities one can do. There are events organized by the network one can attend; e.g. weekly "morning coffee" and monthly seminars (both can be joined digitally).
Am I required to contribute/have talks in the network?¶
No, but we highly recommend everyone on sharing. It might also be that you hear about a problem or solution from a team member or co-worker that can be shared. Asking questions is also contributing!
I don't know anything that's worth sharing¶
Are you sure? Everyone knows something, and how you apply certain tools or how you've implemented security testing could be very interesting! The Impostor syndrome is real, and we need to combat it.
I have a story I want to share¶
Awesome! We want to hear about what you did. Reach out to the AppSec team on Slack after reading the stories page. Maybe we will award this with unique merch as well?
Even if it was something "bad" you discovered in your project, why not share? It's important to highlight the issues we have as well as the good, as everything can be used to learn from.
So I joined, what now?¶
Check out what you can do in the activities section.
I want to attend one of the Security Champion events / meetups. Do you provide a WBS for hours and travel expenses?¶
The Security Champion initiative is a network we invite IT professionals to join and share experiences. Members need to ask their project managers or line leaders for approval to travel and spend time on the network.
I don't have enough time to spend on security related work¶
If you feel like the team do not get the needed time to work on security, please reach out to the AppSec team on Slack. We can help convey the importance and help highlight risk in your team.
Can we have more Security Champions in our team?¶
Ideally, each development team should have one or more team-members who takes on the role of Security Champion. If you are unsure if you have too many, don't hesitate in reaching out to ask.
Remember that it is the entire team that is responsible for the security of applications in the team's portfolio. The Security champions will support the team, but not bear any extended responsibility.
How can sign up to become a Security Champion?¶
Use this form to sign up!
Any more questions?¶
Please reach out to us on Slack, #appsec / #security-champion or email at appsec[at]equinor.com.