(IT) Security Function

An IT security function refers to an organizational unit (e.g., a security engineering team) or an individual (such as a security engineer, security architect, or security officer) tasked with defining and ensuring compliance with security requirements within their area of responsibility.

This function plays a key role in supporting development teams by helping them implement security requirements and verifying their correct application. The IT security function can operate across the entire organization or be dedicated to specific projects or teams.

Note: When referenced within a requirement, it indicates the responsible IT security function for a particular context (e.g. a project).

Security Champion

A Security Champion (SC)1 serves as the designated technical expert, point of contact, and coordinator for security within a specific team.

The responsibilities of this role can include:

  • Acting as a security liaison and advocate for a specific (dev) team.
  • Has a solid understanding of relevant security requirements and tools and ensures their proper implementation within the team.
  • Identifies and manages security threats and findings.
  • Verifies correct implementation of security-relevant requirements.
  • Continuously verifies and improves the effectiveness of implemented security checks and controls, their automation, and periodic assessment of security findings from tools.
  • (Actively) participates in security communities (e.g. a security community of practice) and addresses security concerns of their teams there.
  • Receives specialized security training.

Developer / Engineer

Software developers (or software engineers) have the following responsibilities:

  • Understands security aspects of general technologies he/she is working with and keeps up-to-date with it continuously.
  • Capable and responsible for avoiding, finding, and fixing vulnerabilities in their code.
  • Understand relevant security requirements and comply with them.

Development (or Dev) Team

Responsible for the security of software artifacts it develops, maintains, or operates. Continuously verifies and improves the effectiveness of implemented security checks and controls, their automation, and periodic assessment of security findings from tools.

  1. See OWASP’s Security Champion Guide and SAFECode’s Software Security Takes a Champion