Skip to content

Security Champion Activities πŸ¦Έβ€β™€οΈ

Introduce yourself

Say hello in the Security Champion channel πŸ‘‹ Always fun to meet new champions.

Ensure that all your code is being scanned by SAST

Ensure all your projects code is scanned by Snyk, and that you have Snyk Code enabled for your projects. Using a linter is always good when you develop!

Define security requirements

Have a look at our security requirements page and define some for your project.

Check out our guidelines

We have created a few guidelines. Please check them out and consider implementing them in your projects where it makes sense.

Info

Feedback is good, so if you have any, feel free to contact us, or even create a PR on our github repo!

Threat Modelling activities

We can organize introductory sessions to threat modelling, simply reach out to the @appsecteam on our Slack channel #appsec.

  • Facilitate a threat modelling session with your team - looking at the high level architecture of your system(s)
  • Introduce "Abuser stories" for all your tasks (ex add it some template you are using for detailing tasks)

Contribute to this site

As of now, a lot of the content on this site is written by the AppSec-team. This site is meant to be a resource for the Security Champion community, and thus contribution from the community is crucial for making this site useful.

If you have anything to share that you think will be useful for others, don't hesitate. Same goes for editing the content that already exists.

Just go to our github-repo and make a PR. Pro tip: You can use Visual Studio Code directly from your browser by pressing "." when you are on a page. Contributing has never been easier!

Have the team work through the OWASP Juice Shop

OWASP JuiceShop is a great resource for security training and getting familiar with OWASP Top Ten. There are many ways to utilize this project for training, with some of them being:

  • Run it in CTF-mode, and agree on what challenges are to be solved during this sprint. At the end of the sprint, go through the challenges
  • Set aside a couple of days for going through the challenges together
  • Go though one challenge each stand-up

Check out the OWASP ASVS

OWASP ASVS is a collection of web application technical security controls and requirements. Have a look and see if this makes sense to use for your project :)

Manually security test your application

Have a look at WSTG.