Security Champion Example Activities π¦ΈββοΈ¶
Ensure that all your code is being scanned by SAST¶
Ensure all your projects code is scanned by a SAST (ex. by Snyk) + and all developers are using a linter
Define security requirements¶
Have a look at our security requirements-page and define some for your project.
Threat Modelling activities¶
- Facilitate a threat modelling session with your team - looking at the high level architecture of your system(s)
- Introduce "Abuser stories" for all your tasks (ex add it some template you are using for detailing tasks)
Contribute to this site¶
As of now, a lot of the content on this site is written by the AppSec-team. This site is meant to be a resource for the Security Champion community, and thus contribution from the community is crucial for making this site useful.
If you have anything to share that you think will be useful for others, don't hesitate. Same goes for editing the content that already exists.
Just go to our github-repo and make a PR :)
Have the team work through the OWASP Juice Shop¶
OWASP JuiceShop is a great resource for security training and getting familiar with OWASP Top Ten. There are many ways to utilize this project for training, with some of them being:
- Run it in CTF-mode, and agree on what challenges are to be solved during this sprint. At the end of the sprint, go through the challenges
- Set aside a couple of days for going through the challenges together
- Go though one challenge each stand-up
Check out the OWASP ASVS¶
OWASP ASVS is a collection of web application technical security controls and requirements. Have a look and see if this makes sense to use for your project :)
Manually security test your application¶
Have a look at WSTG