diff --git a/docs/security-champion/1-new_security_champion.md b/docs/security-champion/1-new_security_champion.md new file mode 100644 index 00000000..21a2b778 --- /dev/null +++ b/docs/security-champion/1-new_security_champion.md @@ -0,0 +1,35 @@ +# I've joined, now what? + +## Welcome young padawan + +This is where the fun begins. + +- Join the [#appsec](https://equinor.slack.com/archives/CMM6FSW5V) channel on Slack +- You will get an invitation to the [#security-champion](https://equinor.slack.com/archives/C036HGPBJ04) channel within a few days +- Check out our [activities](./2-security_champion_activities.md) +- Check out our [FAQ](./3-faq.md) + +!!! question "Here's a puzzle for you :" + Get your gift by _decoding_ this challenge - + +## Add Security Champion events to your calendar + +To check all events, and add them to your own calendar, go to your outlook calendar and select the Security Champion Calendar from group calendars: + +![Security Champion Calendar](./add_SecurityChampions_calendar.png) + +_Note: This option might not be available on Mac, if that is your case, another option is to use outlook through connectit to add the events._ + +You can also find a calendar of events on [SharePoint](https://statoilsrm.sharepoint.com/sites/securitychampion9) + +## Relevant Slack channels + +- [#Security-Champions](https://equinor.slack.com/archives/C036HGPBJ04): Your go-to channel for Security Champion events and information +- [#AppSec](https://equinor.slack.com/archives/CMM6FSW5V): Information regarding AppSec + +!!! info + [#AppSec](https://equinor.slack.com/archives/CMM6FSW5V) Most general information should be posted here so everyone in Equinor has access to it and can participate! Dropping a ```@appsecteam``` in this channel will get our attention immediately. + +## Relevant events + +- Check out the [events section](./events/index.md) for the different events we have going on as well as our past events diff --git a/docs/security-champion/1-welcome.md b/docs/security-champion/1-welcome.md deleted file mode 100644 index 330c79d4..00000000 --- a/docs/security-champion/1-welcome.md +++ /dev/null @@ -1,22 +0,0 @@ - -# Welcome - -![sc-welcome](./sc-welcome.png) - -## Say Hello to Others - -Join the [#appsec](https://equinor.slack.com/archives/CMM6FSW5V) and [#security-champion](https://equinor.slack.com/archives/C036HGPBJ04) channels on Slack, and say hello. Avoid missing out on things by turning on notifications for all messages. - -!!! question "Here's a puzzle for you :" - Get your gift by _decoding_ this challenge - - -## Reading Material - -- Guidelines will be added [here](../guidelines/index.md) and you are invited to contribute. -- Participate in cool events, conferences and network meetings in the [Security Champion's group calendar](https://statoilsrm.sharepoint.com/sites/securitychampion9) - -## Hands-on Activities - -- If your team has not been onboarded to Snyk yet, reach out to the [#appsec](https://equinor.slack.com/archives/CMM6FSW5V) team to have a session organized (you'll learn about your application's security posture) -- If your team is not familiar with or has not done any Threat Modelling yet, reach out to the [#appsec](https://equinor.slack.com/archives/CMM6FSW5V) team to have a session organized (it's cool stuff, you'll see) -- To brush up on common web security topics consider the [Web Security Academy](https://portswigger.net/web-security). This is the free, online web security training from the creators of Burp Suite. diff --git a/docs/security-champion/2-new_security_champion.md b/docs/security-champion/2-new_security_champion.md deleted file mode 100644 index 25b49e18..00000000 --- a/docs/security-champion/2-new_security_champion.md +++ /dev/null @@ -1,162 +0,0 @@ -# Onboarding for new Security Champions - -## Welcome young padawan - -Now that you've signed up for Equinor's Security Champion environment, I bet you're wondering what you've gotten yourself into? If you haven't had an onboarding meeting since you joined, please request one in the Security Champion slack channel! We hope to get everyone automagically invited, but mistakes can happen. - -!!! tip - If you haven't had an onboarding meeting since you joined, please request one in the Security Champion slack channel! - -## Expectations - -Security is _everyone's_ responsibility! You as a Security Champion are a voice for security. Your role is to bring security on the agenda within your team, helping the "shift left security" mentality. - -!!! important - Security is _everyone's_ responsibility! You as a Security Champion are a voice for security. - -The Security Champions environment is a community made up of people interested in security where the _people_ are in the center. You and your experiences will drive this community, and we will rely on you to participate in discussions, activities and ask questions. Don't worry, we won't bite! - -## What you get - -- You get to take part in a community of like-minded people. -- There will be activities only catered to Security Champions, which can be used to improve your knowledge regarding security. This will hopefully ignite that security spark within you. -- You will help form this community, as your voice and your experiences matter. -- You will also get experiences and knowledge that might help advance your career. -- Last but not least: Awesome merch! - -!!! note - There will be activities only catered to Security Champions, which can be used to improve your knowledge regarding security. - -## Learning platform - -We are testing out a secure coding learning platform. You as a champion are a perfect match, and that is why you get special merch by learning! - -### What can you expect? - -- Learning about security and secure coding in "hands on" sessions in a sandbox environment -- View video lessons -- Gain unique merch based off your belt level! -- Contribute to the SCN -- Have fun! -- Bragging rights -- Learn things that may help advance your career! - -!!! info - You can gain unique merch based on your belt level! - -There is a wide arrangement of subjects, and you can do them all if you wish! So there are tracks for: - -- AppSec -- Docker security -- DevSecOps -- Data Scientist -- OWASP Mobile top 10 (ios/android) -- OWASP API top 10 -- Web App Tester -- Web dev -- ++ - -Use [this form](https://forms.microsoft.com/e/7BTkd7gGJT) to sign up for it! Happy learning! - -### Belt system - -We are launching a new belt system with this learning platform. There are 5 belts you can achieve, where White, Yellow, and Green belt are achievable from only learning through the platform. More on the merch you can get from the different belts [here](#merch). The brown and black belts are something special. They require you to complete activities normally in the Security Champion network. - -!!! Danger " " - The brown and black belts are special and require you to complete activities normally in the Security Champion network. - -- In order to start earning the brown belt, you need to have completed the three belts from the learning platform (white, yellow, and green). -- In order to gain the brown belt, you need to complete 3 activities from the list below. To achieve the black belt, you need to complete 6 new activities, for a total of 9. - -You report this by using the "Champion passport", add your activity, select "1" in hour slot, and comment on what you did, and when you did it. We will then go through and double-check the activity, and if everything is A-OK, you get the activity successfully registered! - -### Activities - -Please help contribute with useful activities that make sense in Equinor context for Equinor Security Champions. The list below might change based on your feedback. - -- Talk briefly about your project/challenges in regards to security in the coffee or go through a Security Journey task. -- Facilitate a Threat Modeling session for your team/project. -- Share a write-up of a security activity you/your team did on Slack. -- Speak at a seminar/meetup. -- Set up Secret scanning for your project [using our guidelines](https://appsec.equinor.com/guidelines/secret-scanning/). -- Make a pull-request to an Equinor internal repository with a security-enhancing feature. -- Have a Security Champion from another team join/review your threat model. -- Join/review another team's threat model. -- Publish or suggest changes to guidelines on [appsec.equinor.com](https://appsec.equinor.com/guidelines/). -- Attend a Security Journey tournament. -- Gain three white belts. -- Gain two yellow belts. -- Gain two green belts. - -!!! note - The list of activities might change based on your feedback. - -## Merch - -As SCN age, we will have different merch come and go. Below we have a record of some of the selections we have given out. Some of them are out of stock, some are in stock, you never know! Should we get someone to do inventory? Probably... - -- Stickers: A large assortment of stickers to help show that you are the voice of security! With the number of stickers we have, you will get a proper workout while carrying your laptop. -- Hoodie: You act the part? Great! The only thing lacking is dressing for the part! -- Socks: Socks decorated with The Security Champion shields! Would they have protected Achilles? Maybe not. Will they protect you from cyber criminals? Who knows! But you will certainly look stylish while being hacked! -- Book (Alice and Bob Learn Application Security): Complete the challenge at [this form](https://forms.microsoft.com/r/cLRPzRtPGQ). -- AbbSack: You have to see it to believe it! Keep your items _secure_ while traveling. -- Lanyard: Decorate your neck with shields to ward off evil _phishing_ attacks. It even holds your card! -- Pins: Decorate your lanyard or clothes with shields to further increase your _phishing_ protection. -- Christmas ornament: No Christmas is secure without your own Security Champion Christmas tree ornament. -- S.W.A.T. (Small Work Addictive Thing), the latest and freshest within fidget toys. Meetings will never be the same! - - -To get these items, you can find out where the AppSec office is, social engineer your way into the building, find our seats, and ask for one or more of the items. - -OR - -You can get in touch with the team when we do stands and events. - -### Merch for belts - -Since we are launching a new belt system connected to the secure coding platform, we need fresh merch! Below is a list of what you can get at the different belt systems. The items will be shipped via mail unless you can pick it up in the building (Forus Øst). If shipped, it may take some time before you get it! But all things come to those who wait ;) - -- White belt: - - Your very own lanyard decorated with placeholders for those hard-earned pins. -- Yellow belt: - - A yellow pin to hang on your newly acquired lanyard. Be proud! - - A yellow S.W.A.T. to showcase your advancement within security. It will be your best friend in meetings. -- Green belt: - - A green pin to display your advanced knowledge of secure coding. -- Brown belt: - - A brown pin to show that you are no rookie in terms of being one of the top-notch champions in our network. - - A brown S.W.A.T. that will become your best friend when focusing. -- Black belt: - - A black pin. Your final step to look like an overly decorated army general. You can retire happy as your life-long goal of contributing to Equinor's Security Champion Network is finally complete _for now_. - - Hoodie: Now that you are all medal'ed out, the last thing you need is that sweet warm hacker hoodie to put the . over the i. - -!!! note - If shipped, it may take some time before you get it! But all things come to those who wait ;) - -## Relevant web sites - -- [Equinor AppSec](https://appsec.equinor.com/) - -## Relevant Slack channels - -- [#Security-Champions](https://equinor.slack.com/archives/C036HGPBJ04): Your go-to channel for Security Champion events and information. -- [#AppSec](https://equinor.slack.com/archives/CMM6FSW5V): Information regarding AppSec. Most general information should be posted here so everyone in Equinor has access to it and can participate! - -!!! info - [#AppSec](https://equinor.slack.com/archives/CMM6FSW5V) is for general information about AppSec, accessible to everyone in Equinor. - -## Relevant activities - -In the Security Champions, **YOU** are the key ingredient. We have multiple meetings where we gather everyone who wants. Join us! - -- [Morning coffee](https://appsec.equinor.com/security-champion/events/#morning-coffee) -- [Security Champion seminar](https://appsec.equinor.com/security-champion/events/#security-champion-seminar) -- [Security Champions meetups](https://appsec.equinor.com/security-champion/events/2023/1-sc-meetup-2/) -- Keep an eye out in [#AppSec](https://equinor.slack.com/archives/CMM6FSW5V) for new and exciting workshops! - -!!! info - For more information, please check out the [Security Champion Sharepoint](https://statoilsrm.sharepoint.com/sites/securitychampion9/). - -## Further activities - -Please check out [the activities section](security_champion_activities.md) for more activities for you and your team! diff --git a/docs/security-champion/security_champion_activities.md b/docs/security-champion/2-security_champion_activities.md similarity index 79% rename from docs/security-champion/security_champion_activities.md rename to docs/security-champion/2-security_champion_activities.md index 16c19b96..fd0a80be 100644 --- a/docs/security-champion/security_champion_activities.md +++ b/docs/security-champion/2-security_champion_activities.md @@ -3,7 +3,7 @@ ## Introduce yourself -Say hello in the [Security Champion channel](https://equinor.slack.com/archives/C036HGPBJ04) πŸ‘‹ Always fun to meet new champions +Say hello in the [Security Champion channel](https://equinor.slack.com/archives/C036HGPBJ04) πŸ‘‹ Always fun to meet new champions. ## Ensure that all your code is being scanned by SAST @@ -11,10 +11,19 @@ Ensure all your projects code is scanned by Snyk, and that you have Snyk Code en ## Define [security requirements](../resources/security_requirements.md) -Have a look at our [security requirements](../resources/security_requirements.md) page and define some for your project +Have a look at our [security requirements](../resources/security_requirements.md) page and define some for your project. + +## Check out our guidelines + +We have created a few [guidelines](../guidelines/index.md). Please check them out and consider implementing them in your projects where it makes sense. + +!!! info + Feedback is good, so if you have any, feel free to contact us, or even create a PR on our [github repo](https://github.com/equinor/appsec/)! ## Threat Modelling activities +We can organize introductory sessions to threat modelling, simply reach out to the `@appsecteam` on our Slack channel [#appsec](https://equinor.slack.com/archives/CMM6FSW5V). + - Facilitate a [threat modelling session](../threat-modeling/resources/threat_modelling.md) with your team - looking at the high level architecture of your system(s) - Introduce "Abuser stories" for all your tasks (ex add it some template you are using for detailing tasks) @@ -40,4 +49,4 @@ Just go to our github-repo and make a PR. Pro tip: You can use Visual Studio Cod ## Manually security test your application -Have a look at [WSTG](https://owasp.org/www-project-web-security-testing-guide/) +Have a look at [WSTG](https://owasp.org/www-project-web-security-testing-guide/). diff --git a/docs/security-champion/faq.md b/docs/security-champion/3-faq.md similarity index 60% rename from docs/security-champion/faq.md rename to docs/security-champion/3-faq.md index 5a9e874d..9c6d0361 100644 --- a/docs/security-champion/faq.md +++ b/docs/security-champion/3-faq.md @@ -16,18 +16,33 @@ It depends on what _you_ want to do. It can be everything from just informing th No, but we highly recommend everyone on sharing. It might also be that you hear about a problem or solution from a team member or co-worker that can be shared. Asking questions is also contributing! +## I don't know anything that's worth sharing + +Are you sure? Everyone knows something, and how you apply certain tools or how you've implemented security testing could be very interesting! The [Impostor syndrome](https://en.wikipedia.org/wiki/Impostor_syndrome) is real, and we need to combat it. + +## I have a success story I want to share + +Awesome! We want to hear about what you did. Reach out to the AppSec team on Slack. Maybe we will award this with unique merch as well? + +Even if it was something "bad" you discovered in your project, why not share? It's important to highlight the issues we have as well as the good, as everything can be used to learn from. + ## So I joined, what now? -Say hi in to your fellow Security Champions in [#security-champion](https://equinor.slack.com/archives/C036HGPBJ04), join the channel [#appsec](https://app.slack.com/client/T02JL00JU/CMM6FSW5V) for security related questions and updates. -Add the Morning Coffee to your calendar by downloading the calendar invite [here](https://statoilsrm.sharepoint.com/sites/securitychampion9). +Check out what you can do in the [activities](./2-security_champion_activities.md) section. ## I want to attend one of the Security Champion events / meetups. Do you provide a WBS for hours and travel expenses? The Security Champion initiative is a network we invite IT professionals to join and share experiences. Members need to ask their project managers or line leaders for approval to travel and spend time on the network. +## I don't have enough time to spend on security related work + +If you feel like the team do not get the needed time to work on security, please reach out to the AppSec team on Slack. We can help convey the importance and help highlight risk in your team. + ## Can we have more Security Champions in our team? -We recommend each team to have 1-2 champions, and share their learnings with the rest of the team. Remember that it is the entire team that is responsible for the security of applications in the team's portfolio. The Security champions will support the team, but not bear any extended responsibility. +Ideally, each development team should have one or more team-members who takes on the role of Security Champion. If you are unsure if you have too many, don't hesitate in reaching out to ask. + +Remember that it is the entire team that is responsible for the security of applications in the team's portfolio. The Security champions will support the team, but not bear any extended responsibility. ## How can sign up to become a Security Champion? diff --git a/docs/security-champion/4-learning-platform.md b/docs/security-champion/4-learning-platform.md new file mode 100644 index 00000000..4cee2276 --- /dev/null +++ b/docs/security-champion/4-learning-platform.md @@ -0,0 +1,65 @@ +# Secure Code Learning platform + +We are testing out a secure coding learning platform. You as a champion are a perfect match, and that is why you get special merch by learning! + +## What can you expect? + +- Learning about security and secure coding in "hands on" sessions in a sandbox environment +- View video lessons +- Gain unique merch based off your belt level! +- Contribute to the SCN +- Have fun! +- Bragging rights +- Learn things that may help advance your career! + +!!! info + You can gain unique merch based on your belt level! + +There is a wide arrangement of subjects, and you can do them all if you wish! So there are tracks for: + +- AppSec +- Azure +- Docker security +- DevSecOps +- Data Scientist +- OWASP Mobile top 10 (ios/android) +- OWASP API top 10 +- Web App Tester +- Web dev +- ++ + +Use [this form](https://forms.microsoft.com/e/7BTkd7gGJT) to sign up for it! Happy learning! + +## Belt system + +We are launching a new belt system with this learning platform. There are 5 belts you can achieve, where ```White```, ```Yellow```, and ```Green``` belt are achievable from only learning through the platform. More on the merch you can get from the different belts [here](./5-merch.md#merch-for-belts). The ```brown``` and ```black``` belts are something special. They require you to complete activities that give back to the Security Champion network. + +!!! Danger " " + The ```brown``` and ```black``` belts are special and require you to complete activities normally in the Security Champion network. + +- In order to start earning the brown belt, you need to have completed the three belts from the learning platform (```white```, ```yellow```, and ```green```). +- In order to gain the ```brown``` belt, you need to complete 3 activities from the list below. To achieve the ```black``` belt, you need to complete 6 new activities, for a total of 9. + +You report this by using the "Champion passport", add your activity, select ```1``` in hour slot, and comment on what you did, and when you did it. We will then go through and double-check the activity, and if everything is A-OK, you get the activity successfully registered! + +## Activities + +Please help contribute with useful activities that make sense in Equinor context for Equinor Security Champions. The list below might change based on your feedback. + +- Talk briefly about your project/challenges in regards to security in the coffee or go through a Security Journey task +- Facilitate a Threat Modeling session for your team/project +- Share a write-up of a security activity you/your team did on Slack +- Speak at a seminar/meetup +- Set up Secret scanning for your project [using our guidelines](https://appsec.equinor.com/guidelines/secret-scanning/) +- Make a pull-request to an Equinor internal repository with a security-enhancing feature +- Have a Security Champion from another team join/review your threat model +- Join/review another team's threat model +- Publish or suggest changes to guidelines on [appsec.equinor.com](https://appsec.equinor.com/guidelines/) +- Attend a Security Journey tournament +- Gain three ```white``` belts +- Gain two ```yellow``` belts +- Gain two ```green``` belts +- Create a success story about something your team did. Check out [success stories](./success-stories/index.md) for template + +!!! note + The list of activities might change based on your feedback. diff --git a/docs/security-champion/5-merch.md b/docs/security-champion/5-merch.md new file mode 100644 index 00000000..d75705dc --- /dev/null +++ b/docs/security-champion/5-merch.md @@ -0,0 +1,45 @@ +# Merchandise + +Merch is an important tool in building a security culture. We need to be visible, both the AppSec team and our champions to raise awareness to security. We also want to make being a Security Champion something to be proud of, and we are leveraging merch as one of the tools in order to manage this. + +As SCN age, we will have different merch come and go. Below we have a record of some of the selections we have given out. Some of them are out of stock, some are in stock, you never know! Should we get keep inventory? Probably... + +- ```Stickers```: A large assortment of stickers to help show that you are the voice of security! With the number of stickers we have, you will get a proper workout while carrying your laptop +- ```Black Hoodie```: Display your black belt to everyone in the vicinity. You are a true champion +- ```Socks```: Socks decorated with The Security Champion shields! Would they have protected Achilles? Maybe not. Will they protect you from cyber criminals? Who knows! But you will certainly look stylish while being hacked! +- ```Book (Alice and Bob Learn Application Security)```: Complete the challenge at [this form](https://forms.microsoft.com/r/cLRPzRtPGQ) +- ```AbbSack```: You have to see it to believe it! Keep your items _secure_ while traveling +- ```BallSec```: Those pesky attackers are giving you a lot of stress? Relieve it with your branded stress ball! +- ```Lanyard```: Start your belt journey to black belt here with a stylish card holder +- ```Pins```: Decorate your lanyard to display your belt level to the world +- ```Christmas ornament```: No Christmas tree is secure without your own Security Champion Christmas tree ornament. Is it because the christmas tree is offline? Most likely +- ```S.W.A.T. (Small Work Addictive Thing)```: the latest and freshest within fidget toy technology. Meetings will never be the same! This exists in multiple colors. Gotta cath'em all! + +## How to get merch + +- Getting belts through our [secure code learning platform](./4-learning-platform.md) +- Attend gatherings arranged by the AppSec team +- Speak at a seminar to get a unique golden and black S.W.A.T. +- Talk to the AppSec team during conferences +- Doing good work (and tell about it), and maybe you'll get a kudos prize + +## Merch for belts + +Since we are launching a new belt system connected to the secure coding platform, we need fresh merch! Below is a list of what you can get at the different belt systems. The items will be shipped via mail unless you can pick it up in the building (Forus Øst). + +- ```White``` belt: + - Your very own white lanyard decorated with placeholders for those hard-earned pins. +- ```Yellow``` belt: + - A yellow pin to hang on your newly acquired lanyard. Be proud! + - A yellow S.W.A.T. to showcase your advancement within security. It will be your best friend in meetings. +- ```Green``` belt: + - A green pin to display your advanced knowledge of secure coding. +- ```Brown``` belt: + - A brown pin to show that you are no rookie in terms of being one of the top-notch champions in our network. + - A brown S.W.A.T. that will become your best friend when focusing. +- ```Black``` belt: + - A black pin. Your final step to look like an overly decorated army general. You can retire happy as your life-long goal of contributing to Equinor's Security Champion Network is finally complete _for now_. + - Hoodie: Now that you are all medal'ed out, the last thing you need is that sweet warm hacker hoodie to put the . over the i. + +!!! note + Merch will "build up" and be shipped in bulk, normally every 2/3 belt levels in order to avoid too much shipping work. diff --git a/docs/security-champion/3-offboarding.md b/docs/security-champion/6-offboarding.md similarity index 75% rename from docs/security-champion/3-offboarding.md rename to docs/security-champion/6-offboarding.md index 1de13ce6..ba677ab9 100644 --- a/docs/security-champion/3-offboarding.md +++ b/docs/security-champion/6-offboarding.md @@ -2,6 +2,8 @@ ## Sad to see you go -We are all busy people in a busy time. If you feel the need to leave the Security Champion Network, then it's all good. Circumstances change, and you are free to use [this offboarding form](https://forms.microsoft.com/e/grBttpH6A4) to automagically leave. If you have someone that is interested in taking over the role for you, please point them to the champions onboarding section. +We are all busy people in a busy time. If you feel the need to leave the Security Champion Network, then it's all good. Circumstances change, and you are free to use [this offboarding form](https://forms.microsoft.com/e/grBttpH6A4) to automagically leave. -Though you may leave the network, we hope the learnings from the network stay with you forever. +If you have someone that is interested in taking over the role for you, please point them to the champions onboarding section. + +Though you may leave the network, we hope the learnings from the network stay with you forever. You are always welcome back at a later time! diff --git a/docs/security-champion/7-about.md b/docs/security-champion/7-about.md new file mode 100644 index 00000000..253d916b --- /dev/null +++ b/docs/security-champion/7-about.md @@ -0,0 +1,27 @@ +# About the network + +The Security Champion Network is intended to be a community for Security Champions in Equinor. Software development over the last years has rapidly evolved from big development teams consisting of dozens of developers to smaller autonomous teams where we are today. With greater responsibility of the whole lifecycle of applications, modern DevOps teams are also expected to handle security. + +This network was born to facilitate security awareness and competence building in DevOps teams. These are necessary ingredients for successfully [_shifting security left_](https://snyk.io/learn/shift-left-security/). It is a place where teams can safely exchange experiences - _both good and bad_, and hopefully learn from each others. The end goal is for the Security Champion Network to become Equinor's powerhouse for application security. + +## Desired outcome + +Create a lively community for people working with Application Security in Equinor. Knowledge is shared across teams, and we are then able to scale security in a more impactful way. + +## Activities + +Please check our [event](./events/index.md) site for info about upcoming and past Security Champion network events. + +The main communication channel for the community is [Slack](https://app.slack.com/client/T02JL00JU/CMM6FSW5V). This is where people can post questions exchange experiences when it comes to different tools and technologies etc. + +## Role of the AppSec team + +The Security Champions Network is run by the AppSec team, but we aim to empower our champions to contribute in any way they can. + +Do you have a guideline you want to create? Do you want to hold a seminar talk? Would you want to organize an event? Whatever the idea is, _let's have a chat! 🀟_ + +Reach out to us on [Slack](https://app.slack.com/client/T02JL00JU/CMM6FSW5V) or e-mail at ``appsec[at]equinor.com`` + +## Contact us + +If you are reading this from across the web and want to reach out about the program and how we do things, please do so by sending an e-mail to ``appsec[at]equinor.com`` or reach us through the [Security Champions Norge](https://security-champions-no.slack.com/) Slack. diff --git a/docs/security-champion/useful-links.md b/docs/security-champion/8-useful-links.md similarity index 99% rename from docs/security-champion/useful-links.md rename to docs/security-champion/8-useful-links.md index ef438d81..ab4caec4 100644 --- a/docs/security-champion/useful-links.md +++ b/docs/security-champion/8-useful-links.md @@ -8,4 +8,3 @@ These are some relevant resources for security champions - [Security champions @ NAV](https://sikkerhet.nav.no/docs/security-champion-rolle/) - [OWASP security champions](https://owasp.org/www-project-security-culture/stable/4-Security_Champions/) OWASP information and recommendations about security champions networks - diff --git a/docs/security-champion/about.md b/docs/security-champion/about.md deleted file mode 100644 index 4b4421b1..00000000 --- a/docs/security-champion/about.md +++ /dev/null @@ -1,29 +0,0 @@ -# About the network - -The security champion network is intended to be a community for security champions in Equinor. Software development over the last years has rapidly evolved from big development teams consisting of dozens of developers to smaller autonomous teams where we are today. With greater responsibility of the whole lifecycle of applications, modern DevOps teams are also expected to handle security. - -This network rises from the realization that this shift-left thinking when it comes to security requires competence building within the developer teams. As the network grows we strive for it to become a powerhouse in Equinor when it comes to application security. It will be a place where teams can exchange experiences - both good and bad, and hopefully learn from each others. - -## Desired outcome - -Create a lively community for people working with Application Security in Equinor. - -## Activities - -Please check our [event](./events/index.md) site for info about upcoming Security Champion network events. - -The main communication channel for the community is [Slack](https://app.slack.com/client/T02JL00JU/CMM6FSW5V). This is where people can post questions exchange experiences when it comes to different tools and technologies etc. - -We have a weekly SecChampion morning coffee on wednesdays. You will find instructions on how to attend on the [event](./events/index.md) site. - -We have a monthly virtual event for the network with some presentations and deep dive into topics. Please reach out if you have something you are interested in sharing! - -Of course we cannot build a community solely on virtual meetings, we need to see each other physically too! When we get the network up and running, we intend to have 1-2 physical gatherings for all Champions per year :handshake: :pizza:. - -## Responsibilities - -Everyone in the community is responsible for keeping these info sites up to date. They are all based on markdown, don't hesitate to make a PR with fixes, or some new guidelines! - -## Role of the AppSec team - -The AppSec team will be spending some time getting the Security Champion up and running, but our goal is that it over time will be come self sustaining with motivated and engaged members. Would you like to take on some extra responsibilities when it comes to organizing events and keeping there pages up to date? Please reach out to us on [Slack](https://app.slack.com/client/T02JL00JU/CMM6FSW5V) or email at ``appsec[at]equinor.com`` diff --git a/docs/security-champion/events/add_SecurityChampions_calendar.png b/docs/security-champion/add_SecurityChampions_calendar.png similarity index 100% rename from docs/security-champion/events/add_SecurityChampions_calendar.png rename to docs/security-champion/add_SecurityChampions_calendar.png diff --git a/docs/security-champion/events/index.md b/docs/security-champion/events/index.md index 745fc289..6d641a4f 100644 --- a/docs/security-champion/events/index.md +++ b/docs/security-champion/events/index.md @@ -10,13 +10,13 @@ On the last Thursday of every month, from 12.00 to 13.00, we host the Security C ### Presenting at the seminar -Do you have any topics you are interested in sharing? Great!😍 Please submit your interest using [this form](https://forms.office.com/r/nVn8BPst42), or get in touch with the `@appsecteam` on [Slack](https://equinor.slack.com/archives/C036HGPBJ04). +Do you have any topics you are interested in sharing? Great!😍 Please submit your interest using [this form](https://forms.office.com/r/nVn8BPst42), or get in touch with the `@appsecteam` on [Slack](https://equinor.slack.com/archives/C036HGPBJ04). If you do, not only will you be rewarded with positive feedback, but you will get unique merch! ## Add Security Champion events to your calendar To check all events, and add them to your own calendar, go to your outlook calendar and select the Security Champion Calendar from group calendars: -![Security Champion Calendar](./add_SecurityChampions_calendar.png) +![Security Champion Calendar](../add_SecurityChampions_calendar.png) _Note: This option might not be available on Mac, if that is your case, another option is to use outlook through connectit to add the events._ diff --git a/docs/security-champion/getting-in-touch.md b/docs/security-champion/getting-in-touch.md deleted file mode 100644 index 1d48f359..00000000 --- a/docs/security-champion/getting-in-touch.md +++ /dev/null @@ -1,7 +0,0 @@ -# Getting in Touch - -We believe in being reachable to all who want to have a discussion. So we have come up with a system of representation to ensure that you are provided with the support you need. - -You can always drop a message on the [#appsec](https://equinor.slack.com/archives/CMM6FSW5V) and [#security-campion](https://equinor.slack.com/archives/C036HGPBJ04) slack channels, but we have also assigned you representative(s) from our team. Once you have signed up to be a Security Champion, you can find your representative(s) [here](https://statoilsrm.sharepoint.com/sites/securitychampion9) under the 'Appsec Representative' section. - -Your AppSec representative(s) will also connect with you from time to time to check if you need help with tackling security related challenges. diff --git a/docs/security-champion/index.md b/docs/security-champion/index.md index 78ec332a..33ce9fde 100644 --- a/docs/security-champion/index.md +++ b/docs/security-champion/index.md @@ -1,30 +1,38 @@ -# Security Champion +# What is a Security Champion -## Info about Security Champion +You are probably wondering what a Security Champion is in Equinor context and what you can expect if you join? Well then you are on the right track. -Ideally, each development team should have one or more team-members who takes on the role of Security Champion. When an **area** are supported by many small teams (1-2 persons) this **area** should be represented by one or more security champions. +A Security Champion in our context is a person who has a interest in security and want to expand on this interest. The Security Champions Network (SCN) is a network where people and security is in the center. -A Security Champion is a team-member who amplifies the security message at the team level. +!!! info + You do not need to have any security knowledge to join, but the eagerness to learn and share + +## What do we expect from you? -In practice, this means to act as the "security conscience" of the team. -You do not need to be a security expert to become a Security Champion, an interest for security is more than enough. +- See something, say something. You are the voice of security, so please use it +- Join our coffees/seminars/meetups +- Share experiences, both good and bad +- Ask questions and be curious +- Respond to feedback requests +- Share what you learn with your team !!! info - Please note that security is a team responsibility, and the Security Champion is not more accountable for security than any other team member + A Security Champion is the voice of security, and security is a _team effort_. + +You as a champion are the heart of this network. We know time might be tight, but we greatly appreciate all participation. + +## What can you expect? + +- You get to take part in a community of like-minded people +- You can attend activities only catered to Security Champions +- You will help form this network, as your voice and your experiences matter +- You will get experiences and knowledge that might help advance your career +- Last but not least: Awesome merch! -Tasks *could* involve: +## How to become a Security Champion? -- Staying up-to-date with best practices and security related news -- Attend security related conferences/training/workshops -- Raising awareness of security issues within the development team -- Being part of the Security Champion community -- Facilitate threat modelling -- Conduct and/or verify automated scans -- Be the point of contact for security related stuff -- Drive internal bug-bounty +Becoming a Security Champion is as easy as filling out [this form](https://forms.microsoft.com/r/3C2vwEh2i0). -As a Security Champion you would be a target audience for a lot of the work done by the Equinor AppSec team. -The AppSec team will be providing workshops, training, resources and support where needed. +## Questions? -!!! todo "Signup Information" - Use [this form](https://forms.office.com/r/3C2vwEh2i0) for signing up to the security champion's network +Try checking out our [FAQ](./3-faq.md). diff --git a/docs/security-champion/sc-welcome.png b/docs/security-champion/sc-welcome.png deleted file mode 100644 index b62e6e06..00000000 Binary files a/docs/security-champion/sc-welcome.png and /dev/null differ diff --git a/docs/security-champion/success-stories/index.md b/docs/security-champion/success-stories/index.md index 8898e2d1..f211c2ea 100644 --- a/docs/security-champion/success-stories/index.md +++ b/docs/security-champion/success-stories/index.md @@ -1,19 +1,22 @@ # Success Stories πŸ† -We would like to document all the cool things we do and the problems we solve in this journey. It is also a way to give back and contribute to the community. So don't shy at submitting a pull request! +We want to highlight success stories to remind ourselves that we do good work, and we should promote that. If you have something in mind, consider writing a success story. It's even an activity to reach the [brown/black belt](../4-learning-platform.md#activities)! -## Here is a template to get you started : -- **The Champion(s):**
-The champion(s) corresponds to the protagonist(s) of the project. If you don't want your name published here, it's fine to only mention your team. +!!! info + Please use the below template and send it to the AppSec team on Slack or e-mail at ``appsec[at]equinor.com`` + +## Here is a template to get you started -- **The Initial Situation:**
-The initial situation is usually unsatisfying for the champion(s). +This is just a guidance, you do you when telling this story. Feel free to include pictures to illustrate, and provide sources where applicable. + +- **The Champion(s):**
+The champion(s) corresponds to the protagonist(s) of the project. This is normally you and your team - **Pain points:**
-The pain points of the initial situation are the reasons why the champion(s) has started his/her quest. +The pain points of the initial situation are the reasons why the champion(s) has started the quest. - **The Quest:**
-The quest corresponds to the activities undertaken to improve or remediate the initial situation. During the quest, the champion(s) will come across a number of challenges or adventures that he/she will need to overcome. +The quest corresponds to the activities undertaken to improve or remediate the initial situation. During the quest, the champion(s) will come across a number of challenges or adventures that he/she will need to overcome. - **Happy End:**
At the end, the champion(s) has managed to create a new stable environment that is better than the initial situation. @@ -21,6 +24,5 @@ At the end, the champion(s) has managed to create a new stable environment that !!! tip "Tips" Try to add technical and quantifiable information to the story to better showcase the value. -!!! Warning "Note" +!!! Warning "Note" Please keep in mind that the site is accessible publicly to everyone across the internet, therefore avoid sharing information that is sensitive or should not be available to the public. -