Skip to main content
SpringerLink
Log in

Facilitating Security Champions in Software Projects - An Experience Report from Visma

  • Conference paper
  • First Online:
Product-Focused Software Process Improvement (PROFES 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14483))

  • 366 Accesses

Abstract

The role of security practices is increasingly recognized in fast-paced software development paradigms in contributing to overall software security. Security champions have emerged as a promising role in addressing the shortage of explicit security activities within software teams. Despite the growing awareness of general security practices, there remains limited knowledge regarding security champions, including their establishment, effectiveness, challenges, and best practices. This paper aims to bridge this gap by presenting insights from a survey of 73 security champions and 11 interviews conducted within a large Norwegian software house. Through this study, we explore the diverse activities undertaken by security champions, highlighting notable differences in motivations and task descriptions between voluntary and assigned champions. We also reported challenges with onboarding, communication, and training security champions and how they can be better supported in the organization. Our insight can be relevant for similar software houses in establishing, implementing, and improving their strategic security programs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Coverity scan - static analysis. https://scan.coverity.com

  2. Hack the box. https://www.hackthebox.com

  3. Innovation. https://www.oxfordlearnersdictionaries.com/definition/american_english/innovation

  4. MAXQDA. https://www.maxqda.com

  5. OWASP top ten. https://owasp.org/www-project-top-ten/

  6. Pluralsight. https://www.pluralsight.com

  7. Secure code warrior. https://www.securecodewarrior.com

  8. TryHackMe. https://tryhackme.com

  9. VASP VCDM. https://www.visma.com/trust-centre/security/vasp-vcdm/

  10. Who we are. https://www.visma.com/organisation/

  11. Aalvik, H., Nguyen-Duc, A., Cruzes, D.S., Iovan, M.: Establishing a security champion in agile software teams: a systematic literature review. In: Arai, K. (eds.) Advances in Information and Communication. FICC 2023. LNNS, vol. 652. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-28073-3_53

  12. Alshaikh, M.: Developing cybersecurity culture to influence employee behavior: a practice perspective. Comput. Secur. 98, 102003 (2020)

    Article  Google Scholar 

  13. Alshaikh, M., Adamson, B.: From awareness to influence: toward a model for improving employees’ security behaviour. Pers. Ubiquit. Comput. 25(5), 829–841 (2021)

    Article  Google Scholar 

  14. Gabriel, T., Furnell, S.: Selecting security champions. Comput. Fraud Secur. 2011(8), 8–12 (2011)

    Article  Google Scholar 

  15. Haney, J.M., Lutters, W.G.: The work of cybersecurity advocates. In: Proceedings of the 2017 CHI Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1663–1670 (2017)

    Google Scholar 

  16. Jaatun, M.G., Cruzes, D.S.: Care and feeding of your security champion. In: 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1–7. IEEE (2021)

    Google Scholar 

  17. Jenssen, J.I., Jørgensen, G.: How do corporate champions promote innovations? Int. J. Innov. Manag. 8(01), 63–86 (2004)

    Article  Google Scholar 

  18. Likert, R.: A technique for the measurement of attitudes. Arch. Psychol. 22(140), 55 (1932)

    Google Scholar 

  19. Morgan, G.: Riding the waves of change. Imaginization Inc. (2013)

    Google Scholar 

  20. Oates, B.J., Griffiths, M., McLean, R.: Researching information systems and computing. Sage (2022)

    Google Scholar 

  21. Runeson, P., Höst, M.: Guidelines for conducting and reporting case study research in software engineering. Empir. Softw. Eng. 14(2), 131–164 (2009)

    Article  Google Scholar 

  22. Ryan, I., Roedig, U., Stol, K.J.: Understanding developer security archetypes. In: 2021 IEEE/ACM 2nd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS), pp. 37–40. IEEE (2021)

    Google Scholar 

  23. Thomas, T.W., Tabassum, M., Chu, B., Lipford, H.: Security during application development: an application security expert perspective. In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, pp. 1–12 (2018)

    Google Scholar 

  24. Van de Ven, A.H.: Central problems in the management of innovation. Manage. Sci. 32(5), 590–607 (1986)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Norwegian Univeristy of Science and Technology, Trondheim, Norway

    Anh Nguyen-Duc, Daniela Soares Cruzes & Hege Aalvik

  2. University of South Eastern Norway, Bø i Telemark, Norway

    Anh Nguyen-Duc

  3. Visma, Timisoara, Romania

    Monica Iovan

Authors
  1. Anh Nguyen-Duc
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Daniela Soares Cruzes
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hege Aalvik
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Monica Iovan
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anh Nguyen-Duc .

Editor information

Editors and Affiliations

  1. FHV Vorarlberg University of Applied Science, Dornbirn, Austria

    Regine Kadgien

  2. Fraunhofer Institute for Experimental Software Engineering, Kaiserslautern, Germany

    Andreas Jedlitschka

  3. FHV Vorarlberg University of Applied Science, Dornbirn, Austria

    Andrea Janes

  4. University of Oulu, Oulu, Finland

    Valentina Lenarduzzi

  5. University of Oulu, Oulu, Finland

    Xiaozhou Li

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Nguyen-Duc, A., Cruzes, D.S., Aalvik, H., Iovan, M. (2024). Facilitating Security Champions in Software Projects - An Experience Report from Visma. In: Kadgien, R., Jedlitschka, A., Janes, A., Lenarduzzi, V., Li, X. (eds) Product-Focused Software Process Improvement. PROFES 2023. Lecture Notes in Computer Science, vol 14483. Springer, Cham. https://doi.org/10.1007/978-3-031-49266-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-49266-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-49265-5

  • Online ISBN: 978-3-031-49266-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation