Brendan Sheairs

In episode 77 of the We Hack Purple Podcast host Tanya Janca chats with Brendan Sheairs about her latest obsession; security champions! Brendan has significantly more experience in this area than anyone Tanya has met, so they dug in deep on this topic. We covered a lot in this episode, including;

• What the heck are security champions? Why would someone want them?
• You need building blocks
◦ Must haves: goals! Who will run it! What problem are they solving?
• What is the business goal? Or objective? You need a justification to do this!
• Getting buy in to be allowed to build a program
• Having fewer bugs in production
• Moral? Are they happier? Are they missing less work?
• Biggest challenge, time commitment for champions, and then no one is allowed to work on it
• You need top down buy in, but then the work happens bottom up
• 10% for champions, what does this mean? What can it look like?
• Conflicts of interest or alignment with other important things like deadline and bonuses
• Motivations: Career advancement and financial
• Things we can do to motivate champions
• What does a good program look like?
• If someone leading the program? Someone needs to be responsible for the program, or it will, for sure, fall apart
• Why would companies want to have a champs program: to reduce process friction (false positives, bugs not getting fixed, security being avoided)
• Ensuring people don’t dread working with the security team
• Making it as easy as possible to do security

.

Want More Brendan? Here you go!

• https://www.linkedin.com/posts/brendan-sheairs_securitychampions-securitychampions-cybersecurity-activity-7064622406937538560-bR59/
  https://www.synopsys.com/blogs.html
• https://www.linkedin.com/feed/update/urn:li:activity:7067122079698931714/
• https://www.linkedin.com/posts/brendan-sheairs_securitychampions-securitychampions-cybersecurity-activity-7051901776257503232–Az7?utm_source=share&utm_medium=member_desktop

Very special thanks to our sponsor: Semgrep!

Semgrep Supply Chain’s reachability analysis lets you ignore the 98% of false positives in open source vulnerabilities and quickly find and fix the 2% of issues that are actually reachable.

Get Your Free Trial Here! 

.

Semgrep also makes a ludicrously fast static analysis tool They have a free and paid version of this tool, which uses an open-source engine, and offers a community-created rule set! Check out Semgrep Code HERE

.

Join We Hack Purple!

Check out our brand new courses in We Hack Purple Academy. Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!

Shownotes 02/06/2023 12:00 am

Play

Sponsored by Semgrep