Security Culture Building
From Blockers to Enablers
Most engineers view security teams as the department that says no. PRs get stuck in security review. Deploy pipelines have security gates that fail with cryptic errors. Compliance requirements land as mandates with no context or tooling support. This dynamic creates an adversarial relationship where engineers try to avoid security involvement rather than seek it out.
Flipping this requires a fundamental shift. The security team's job is not to block insecure code. It's to make secure code the path of least resistance. Provide secure-by-default libraries. Embed security checks in CI that give actionable feedback, not just "FAIL." Offer office hours where engineers can get quick guidance instead of submitting tickets into a review queue.
Security Champions Programs
A centralized security team reviewing every PR from every team doesn't scale past 50 engineers. Instead, train one or two engineers per team as security champions. These are not full-time security roles. They're feature engineers who spend 10-15% of their time on security.
Champions review security-sensitive PRs on their own team. They attend a monthly security sync to learn about new threats and share patterns. They're the first point of contact for security questions, which means most issues get resolved without involving the central security team.
Atlassian, Uber, and Shopify all run security champion programs. The common elements: explicit time allocation (not "on top of your regular work"), training budget, a Slack channel for quick questions, and recognition in performance reviews.
Making Training Engaging
Generic security training is a waste of everyone's time. Engineers sit through videos about phishing and password hygiene and learn nothing relevant to their daily work.
Effective security training uses your actual codebase. Take a real vulnerability that was found and fixed (or a synthetic one planted in a staging environment) and walk engineers through how to find and exploit it. CTF (Capture the Flag) competitions using internal systems generate genuine engagement. Engineers compete, learn, and remember because they're solving puzzles, not watching slides.
Run quarterly security workshops focused on one topic: SQL injection, SSRF, authentication bypass, secrets management. Ninety minutes, hands-on, with your actual stack. Track attendance and completion, but make the sessions good enough that people want to come.
Integrating Security into Code Review
Add security-focused linting rules to your CI pipeline. Tools like Semgrep, Snyk, and GitHub Advanced Security can catch common vulnerability patterns automatically. The key is tuning the rules to minimize false positives. A noisy security scanner gets ignored within two weeks.
Create a lightweight security review checklist that engineers can self-serve. Does this PR handle user input? Does it introduce a new API endpoint? Does it change authentication or authorization logic? If yes to any, the security champion reviews it. If no, it proceeds through normal review.
Running a Security Champions Program That Lasts
Most security champion programs fail within a year. The champions get no protected time, receive no meaningful training, and end up as ticket routers between their team and the security org. Here is what separates programs that last from programs that quietly die.
Explicit time allocation matters more than enthusiasm. Atlassian gives champions 10-15% of their sprint capacity for security work, and managers are held accountable for protecting that time. Without this, champions default to feature work under deadline pressure every single sprint.
Monthly champion syncs with real content. Not status updates. Each month, the security team presents one recent vulnerability (from your own codebase or a public disclosure relevant to your stack), walks through the exploit chain, and discusses how to detect similar patterns in code review. Uber's champion program uses this format, and attendance stays high because engineers learn something concrete each session.
Tangible career incentives. Security champion experience should count toward promotion criteria. At Shopify, champion contributions are cited in performance reviews as examples of cross-functional impact. Without career upside, senior engineers see champion duty as a tax on their time rather than a growth opportunity.
Track two metrics for program health. First, what percentage of security-sensitive PRs get reviewed by a champion before merge? Target 80%. Second, how many security questions get resolved within the team without escalating to the central security team? A healthy program resolves 60-70% of questions locally.
Key Points
- •Shift-left security works only when security tooling integrates into existing developer workflows, not alongside them
- •Security champions embedded in feature teams are more effective than a centralized security review bottleneck
- •Training sticks when it uses your actual codebase and real vulnerabilities, not generic OWASP slides
- •Bug bounty programs surface vulnerabilities that automated tools miss and build security awareness organically
- •The goal is making the secure path the easiest path. Secure defaults beat security reviews every time
Common Mistakes
- ✗Making security training a once-a-year compliance checkbox that engineers tune out immediately
- ✗Adding security gates that block deploys without giving engineers tools to fix issues themselves
- ✗Treating security as a separate concern owned by a security team instead of a shared engineering responsibility