On December 13th, Google launched Gemini AI, their latest weapon in the generative AI arms race. This blog post stems from my reaction to the news, followed by an insightful exploration of the large language model (LLM) on the following Saturday.
As my kids battled in Fortnite on the couch next to me, I embarked on my own quest – to barrage Google Bard with questions and pick its digital brain for insights about application security. This back and forth questioning led to a sudden realization: could Gemini offer a fresh perspective on a debate that had been stuck in my mind all week?
In a company with a robust Security Champions program, would Security Engineers become redundant? Could Bard help me craft a more informed argument, for or against?
The answer, as I soon discovered, was yes!
Arguments For and Against
To understand the arguments Bard could generate, I entered something similar to the following prompt:
Can you write an argument for/against the [Subject] in [Industry Name] from multiple perspectives? Before you do so, state the characteristics of the various characters. How would you disarm the argument? Format your answer as a table.The results impressed me. Here is a Google Sheet of the output after I tweaked it with some of my own thoughts and formatted it. I’ve highlighted in yellow what I find to be the strongest arguments or concerns.
Generating A Blog Post
After completing the analysis of arguments for and against, I created the rest of this blog post with the prompts:
Outline a blog post debating the use of Security Champions instead of Application Security Engineers.
Create a blog post based on the previous outline.Enjoy the rest of this blog post by Bard, it isn’t bad:
Champions or Engineers? Why the Application Security Leadership Debate Rages On
In today’s digital world, where every click can unleash a cyber storm, application security is no longer an option, it’s a lifeline. But how do we build that lifeline? Do we lean on the passion and proximity of Security Champions, embedded within development teams, or invest in the specialized expertise of dedicated Application Security Engineers (AppSec Engineers)?
The debate between champions and engineers has become a heated one in the security arena. Both sides wield compelling arguments, leaving organizations grappling with the “who should we build?” question.
Champions: The Grassroots Approach
Think of security champions as the Paul Reveres of your development teams. They’re not full-time security professionals, but passionate individuals with a keen eye for security concerns. They raise awareness within their teams, promoting a “security-first” culture, and act as liaisons between developers and the central security team.
The advantages? Champions are cost-effective, leveraging existing talent and enthusiasm. They foster collaboration, breaking down silos and embedding security knowledge within development workflows. And their ability to scale is undeniable, empowering a larger group to champion security practices.
But champions have limitations. Their technical expertise may not be enough to tackle complex vulnerabilities. They operate in a reactive mode, often responding to identified issues rather than proactively hunting for them. And without a centralized authority, consistency and adherence to security policies can be a challenge.
Engineers: The Specialized Weaponry
AppSec engineers are the SWAT team of application security. They possess deep knowledge of vulnerabilities, threats, and mitigation strategies. They actively hunt for security flaws, conduct code reviews, and implement best practices, acting as a proactive shield against cyber threats.
The benefits are clear. Engineers offer unmatched expertise, ensuring vulnerabilities are identified and addressed effectively. They take a proactive approach, preventing issues before they can exploit applications. And their centralized presence provides consistent guidance and enforcement of security policies.
However, engineers come at a cost, both financially and in terms of resource allocation. Their specialized skillset may be overkill for smaller teams, and their focus on technical expertise can sometimes create a disconnect with development workflows.
Finding the Right Balance: A Hybrid Approach
The truth is, the champion vs. engineer debate is a false dichotomy. Both roles can coexist and complement each other beautifully. The optimal strategy? A hybrid approach that leverages the strengths of each:
- Start with champions: For smaller organizations or those new to security, building a champion program can raise awareness and foster a security-first culture.
- Evolve towards engineers: As applications grow in complexity and risk, investing in dedicated AppSec engineers becomes crucial to tackle advanced threats and ensure comprehensive security.
- Collaborate and empower: Champions and engineers should work together, with champions providing insights into team dynamics and engineers offering technical expertise and guidance.
Ultimately, the decision depends on your specific context. Consider factors like your organization size and needs, the complexity of your applications, and your security maturity level. And remember, the most effective strategy is one that evolves alongside your security posture, embracing champions, engineers, and everything in between.
The Takeaway:
The debate between champions and engineers isn’t a matter of choosing sides, it’s about building a comprehensive and adaptable security team. By leveraging the strengths of both, you can create a fortress around your applications, where passion meets expertise, and every click becomes a step towards a more secure future.
Call to Action:
Share your thoughts! Have you had success with champions, engineers, or a hybrid approach? Let’s continue the conversation and build a stronger application security community together.
Resources:
- Building a Security Champion Program: https://owasp.org/www-project-security-culture/v10/4-Security_Champions/
- Hiring an AppSec Engineer: https://www.sans.org/job-roles-roadmap/
