Scrolls
7 min read
On this page

Building Security Culture

Security cannot be bolted on by a security team working in isolation. When security is everyone's responsibility, vulnerabilities are caught during code review instead of in production. Developers write secure code by default instead of retrofitting fixes. Security culture means engineers think about security as naturally as they think about error handling — not because they are told to, but because it is part of how they work.

Security Is Everyone's Responsibility

The traditional model — a security team that reviews everything before release — does not scale. A 10-person security team cannot meaningfully review the output of 500 engineers. The bottleneck creates resentment (security is "the team that slows us down"), delays releases, and ultimately fails because the security team cannot review everything in depth.

The alternative is distributed security ownership. Every engineer owns the security of their code. Every team owns the security of their services. The security team provides tools, training, and guidance — but they do not gate every change.

# Traditional model (does not scale)
Engineering → Build feature → Security review → Fix findings → Ship

# Distributed model (scales)
Engineering → Build feature with security in mind → Ship
Security team → Tools, training, standards, audits

This does not mean the security team is unnecessary. It means the security team's role shifts from gatekeeping to enabling. They build secure defaults, provide reusable libraries, create automated checks, and train engineers.

Security Champions

A security champion is an engineer embedded in a product team who has interest and training in security. They are not full-time security professionals — they are developers who spend 10-20% of their time on security activities.

What Champions Do

# Security champion responsibilities
- Review team code changes with a security lens
- Triage security tool findings for their team
- Attend monthly champion meetings with the security team
- Bring security concerns from their team to the security team
- Advocate for security improvements in sprint planning
- Help teammates fix security issues
- Stay current on threats relevant to their team's domain

Building a Champion Program

Selection. Look for engineers who are already interested in security, ask good questions during code review, or have reported vulnerabilities. Do not assign champions — recruit volunteers.

Training. Provide initial training (a 2-day workshop covering the OWASP Top 10, secure coding for your stack, and your internal security tools), then ongoing monthly sessions on specific topics.

Recognition. Champion work must be visible in performance reviews. If security contributions are invisible to managers, champions will deprioritize them for feature work.

Community. Monthly meetings where champions share findings, discuss threats, and learn from each other create a support network and prevent champions from feeling isolated.

A company with 20 product teams and one security champion per team has 20 additional people watching for security issues — a force multiplier that no amount of security tooling can replace.

Secure Coding Training

Annual security training that consists of watching a video and clicking through a quiz is worthless. Engineers forget it within a week. Effective security training is practical, hands-on, and relevant to the technologies your teams actually use.

What Effective Training Looks Like

Language and framework specific. Training a Python Django team on Java Spring vulnerabilities wastes everyone's time. Training should use the languages, frameworks, and tools engineers encounter daily.

Hands-on exercises. Give engineers vulnerable applications to exploit. When a developer successfully performs SQL injection against a test application, they understand the vulnerability viscerally in a way that slides never achieve.

# Training exercise structure
1. Present a vulnerable code snippet
2. Engineers identify the vulnerability
3. Engineers exploit it in a sandbox environment
4. Discuss the fix and the underlying principle
5. Engineers implement the fix and verify it blocks the exploit

Annual refresh with quarterly updates. Full training annually. Short 30-minute sessions quarterly covering new vulnerabilities, recent incidents (sanitized), or new security tools.

Onboarding integration. New engineers complete secure coding training within their first month. Do not wait for the next annual cycle.

Measuring Effectiveness

Track metrics that show whether training changes behavior:

  • Security findings per code review (should decrease over time)
  • Time to remediate security issues (should decrease)
  • Number of security issues caught by engineers vs. tools (should shift toward engineers)
  • Champion engagement (meeting attendance, security PRs submitted)

Security in Code Reviews

Code review is the most natural place to catch security issues. Every change is already being reviewed — adding a security lens costs minutes, not hours.

The Security Review Checklist

Add security-specific items to your code review template.

# Security review checklist
Input handling:
  [ ] User input is validated and sanitized
  [ ] SQL queries use parameterized statements
  [ ] Output is properly encoded/escaped

Authentication & Authorization:
  [ ] Endpoints require appropriate authentication
  [ ] Authorization checks verify the user can perform the action
  [ ] Sensitive operations require re-authentication

Data handling:
  [ ] No secrets hardcoded in code
  [ ] Sensitive data is encrypted at rest and in transit
  [ ] PII is not logged

Error handling:
  [ ] Errors do not expose internal details to users
  [ ] Failed operations fail securely (deny by default)

Dependencies:
  [ ] New dependencies are from reputable sources
  [ ] No known vulnerabilities in new dependencies

Not every item applies to every change. The checklist serves as a reminder, not a requirement to check every box on every PR.

Making It Practical

Automate what you can. Use SAST tools to flag obvious issues automatically. Let humans focus on logic and design review.

Do not block on low-risk items. A missing security header on an internal tool does not need to block a deployment. Prioritize issues by actual risk.

Provide context, not commands. "This could be vulnerable to SSRF because the URL comes from user input — can we validate the hostname against an allowlist?" is more educational than "Fix this security issue."

Rewarding Security Contributions

What gets rewarded gets done. If security contributions are invisible, they will not happen.

Bug bounty for internal findings. Reward engineers who find security issues in other teams' code. Even small rewards (gift cards, team lunches, public recognition) create incentives.

Security metrics in performance reviews. Include security champion activities, security issue remediation, and proactive security improvements as positive performance indicators.

Public recognition. Highlight security contributions in all-hands meetings, engineering newsletters, or internal chat channels. "Sarah found and fixed a privilege escalation vulnerability in the billing service last week" normalizes security work as valued engineering.

Security awards. Quarterly or annual awards for the engineer or team with the most significant security contribution. Make security work visible and celebrated.

The Security Culture Maturity Model

Organizations progress through predictable stages of security culture maturity.

Level 1: Reactive

Security is addressed only after incidents. There is no proactive security program. The security team (if one exists) is understaffed and ignored. Engineers view security as someone else's problem.

Level 2: Compliant

Security activities exist primarily to satisfy compliance requirements. Annual pentests, basic training, and security policies are in place but followed minimally. Security is seen as a checkbox exercise.

Level 3: Proactive

Security is integrated into the development lifecycle. SAST tools run in CI, security is part of code review, and engineers receive regular training. A security champion program exists. The security team is consulted during design.

Level 4: Embedded

Security thinking is automatic for most engineers. Secure defaults make the easy path the secure path. Security is a first-class concern in architectural decisions. Threat modeling happens during design, not after.

Level 5: Innovative

The organization contributes to the broader security community. Engineers participate in bug bounties, publish security research, and build novel security tools. Security is a competitive advantage, not just a cost center.

Most organizations are at Level 1 or 2. Reaching Level 3 requires executive support and dedicated resources. Levels 4 and 5 take years of consistent investment.

Real-World Example

Google's security culture is often cited as an industry benchmark. Every engineer completes security training. Security reviews are mandatory for certain types of changes. The security team builds and maintains secure-by-default libraries — if you use Google's standard HTTP library, you get TLS and certificate validation automatically. Engineers cannot accidentally disable security features without deliberate, reviewed code changes. This "secure by default" approach embeds security into the platform rather than relying on individual engineer vigilance.

Common Pitfalls

  • Making security the security team's problem. A centralized security team cannot review everything. Distributed ownership with security champions scales.
  • Training that is irrelevant. Generic security training using technologies your team does not use is wasted time. Customize training to your stack.
  • Checkbox culture. Treating security activities as compliance exercises rather than genuine risk reduction undermines the entire program.
  • Not recognizing security work. If security contributions are invisible in performance reviews, engineers will prioritize visible feature work instead.
  • Expecting overnight change. Security culture takes years to build. Start with quick wins (SAST in CI, a security review checklist) and build progressively.
  • Punishing security reporters. If the engineer who reports a vulnerability gets blamed for the disruption of fixing it, reporting will stop.

Key Takeaways

  • Security at scale requires distributed ownership — every engineer owns the security of their code.
  • Security champions (one per team) are the most effective force multiplier for a security program.
  • Effective training is hands-on, language-specific, and annually refreshed with quarterly updates.
  • Embed security into code review with a practical checklist that does not block on low-risk items.
  • Reward security contributions through recognition, performance reviews, and incentive programs.
  • Security culture maturity progresses from reactive to innovative — most organizations are early in this journey.
  • Secure-by-default tooling and libraries embed security into the platform rather than relying on individual vigilance.