I am a software engineer whose main job is to write code. I additionally have a responsibility to help the team write secure software, as a source of expertise and a coach.
I coach the team into creating security processes that make our systems secure while minimising the effect on development velocity. I ensure that these processes run effectively, but I don’t make myself a bottleneck or a single point of failure in the process.
I ensure the team create an effective set of standards for securely developing their software.
I help the team define a set of security training materials, and I make sure they are all consumed.
I have expertise in pen testing tools and use them during development to harden our software.
I help the team run threat modelling sessions.
I help the team identify security requirements for our software.
I work with the other Security Champions to:
- Share best practice across teams
- Create shared standards and resources
- Run activities and events
I am concerned only with helping engineers to write create secure systems. There are therefore lots of security-related activities I don’t do.
I’m not an IT Security Officer.
I’m not a penetration tester.
I'm not responsible for keeping platforms (e.g. operating systems) patched.
I don’t run Information Assurance processes, risk assessments or audits.
I don’t run security investigations, security incidents or forensic investigations.
I'm not the only person who cares about security. An important part of my job is to ensure all engineers make security a priority.
I’m not the only person to run security activities – I coach others to run them effectively.
I have the skills of a senior software engineer, but with additional security knowledge.
I have a broad knowledge of security risks and how to counter them.
I'm an expert in how my team’s technologies must be used to keep them secure.
I'm well trained and hold security-related qualifications.
I'm an expert in my team’s security tooling (e.g. static analysis tools, third-party checkers).
I understand the security aspects of solution architecture.
I have coaching and influencing skills.
I make connections across the organisation and the wider security community.
I use every opportunity to share my security knowledge with my team and the practice, using a variety of formats such as coaching, presentations and blogging.
I seek sources of security expertise outside the UKHO, bringing in ideas and innovation. In particular, I connect with people in other parts of government.
I'm an active member of the UKHO security champions group.
I connect with the UKHO’s Security Team, to better understand their processes and requirements.
I work closely with solution architects to understand their security goals and concerns.