What are Security Champions and what do they do?

Security Champions are a key element of an AppSec team, since they create an cross-functional team focused on Application Security 

Here is an good definition for you to customise to your culture and workflows:

What is an Security Champion?

• Security Champions are active members of a team that may help to make decisions about when to engage the Security Team
• Act as the "voice" of security for the given product or team
• Assist in the triage of security bugs for their team or area

What do they do?

• Actively participate in the AppSec JIRA and WIKI
• Collaborate with other security champions
  • Review impact of 'breaking changes' made in other projects
• Attend weekly meetings
• Are the single point of contact for their assigned team
• Ensure that security is not a blocker on active development or reviews
• Assist in making security decisions for their team
  • Low-Moderate security impact
    • Empowered to make decisions
    • Document decisions made in bugs or wiki
  • High-Critical security impact
    • Work with AppSec team on mitigations strategies
• Help with QA and Testing
  • Write Tests (from Unit Tests to Integration tests)
  • Help with development of CI (Continuous Integration) environments

Further reading

• Does your team has a Security Champion? If not, get this Mug and Library
• Security Champions at Mozila
• Creating a Security Champions Network