Mercari’s Security Champion Program: Gamifying Security Education for a Safe and Secure Service
Hey everyone, this is Jason and Azeem from the Security Team at Mercari.
This quarter, as part of our initiative to improve security awareness across all teams, educate employees on security best-practices, and promote the idea of Shift-Left Security (where security concerns are addressed earlier in the software development life-cycle), we launched our very own Security Champion Program at Mercari.
Welcome to the Security Program
What is a Security Champion?
According to OWASP (The Open Web Application Security Project), Security Champions are proactive members of a product team that help to make decisions about when to engage the Security Team, act as the “voice” of security for a given product or team, and assist in the triage of security concerns for their team or area of expertise, etc.
In other words, Security Champions are a fundamental part of creating a culture of security awareness throughout a company, and helping security teams ensure our services are secure by design. Ideally, Security Champions are also able to become an extension of the Security Team itself, and contribute more directly through initial security reviews, and other tasks that require specialized knowledge of security.
Why did we start the program at Mercari?
Left: Azeem, product security engineer and technical lead for the program, Right: Jason, security engineer and program coordinator
Over the last few years, Mercari has seen rapid growth, and the environment has changed a lot from when the company was a start-up. One of the challenges any security team faces in a growing company is how to ensure security at scale, and a common approach to tackling this challenge is the idea of shift-left security. This means bringing security concerns, consultations, and testing to the table earlier in the development cycle, allowing teams to fix issues more cheaply and efficiently, which brings greater business value to the company, and helps ensure features are secure by design.
As an extension of the Security Team, Security Champions are also able to take leadership when it comes to tackling security concerns and threats within their own domains. For example, a Security Champion working on item listing can employ the knowledge they have built on security in conjunction with their unique domain knowledge to find and model threats related to the service early on in the design process as well as identify existing threats.
Program participant Ayman sporting Security Centaur in style!
In this sense, a well trained Security Champion can take more autonomy in their work and in general should have less of a need to have their design documents reviewed by the security team unless the champion is unsure about something and requires further consultation. This helps reduce the strain on the core Security Team and promotes security awareness and a sense of responsibility for implementing appropriate security measures within domain teams.
For this approach to be effective, we need to provide engineers with the skills necessary to deal with a world where cyberattacks are ever more frequent and cybersecurity is ever more important, and help promote these skills as part of their professional growth.
This is what our Security Champion program aims to achieve.
Top-scoring Security Champion and first owner of our elusive Security Centaur T-shirt, Hunter (the vulnerability hunter)
One of the core tenets of Mercari’s service is to provide a safe and secure experience to users, and providing security training to all employees and promoting a culture of security within the company form crucial parts of ensuring our services meet these standards.
What are we doing on the program?
Yannarak, Security team engineering manager
So what does the Security Champion program involve?
First, we educate employees about the role of the Security Team, what we do, what kind of challenges we are facing, and what support we need to overcome these challenges.
We teach security best practices to participants including appropriate secret management, the fundamentals of software security requirements, security design principles, threat modeling, how to carry out security reviews, etc.
For engineers to know how to defend against attacks, it is imperative that they understand the methodology employed by modern-day attackers.
On the program, we explore the actual tools and methods that hackers use, so that engineers can better understand how to implement and maintain countermeasures. We demonstrate how easy it can be to bypass certain security mechanisms from an attackers perspective, and the potential monetary loss that they can cause to the customer and the company, if these security mechanisms are not implemented properly.
Moreover, we go into case studies of past incidents, explaining what happened, what the fundamental issues were, how they were resolved, and what we can do to prevent similar issues from occurring in the future.
What’s in it for the Champions?
We want our champions to get the recognition they deserve for taking part in the program so we offer exclusive swag such as Security Champion stickers and their very own Security Champion Centaur T-shirt for the most dedicated champions! (Big thank you to @tennis on the Design Team for coming up with these amazing designs for the program)
Of course, we expect our champions to earn their prizes and as such, everything in the Security Champion program is tied to a points based achievement system.
Security champions can earn points by taking part in training sessions, joining Capture The Flag competitions together, giving their own talks on security related topics or even by taking on bonus challenges such as helping to resolve issues raised by the Security Team.
Engineers taking part in the program also get the unique opportunity to delve deeper into the field of security, further develop their skills as an engineer, and quench their thirst for in-depth expertise and knowledge.
Gamification helps us keep the program fun and build a deeper culture and community around security, with champions eager to see what new challenges we have awaiting them each week.
As part of the program we also started our own CTF(Capture The Flag) community with champions taking part in various competitions together. To help spread the community to employees less confident in getting competitive, we started a more casual board-gaming community too. These fun community events might seem trivial at first, but they have really helped our team build stronger relationships and trust with other teams from around the company, and in doing so aid us in identifying risk at an early stage.
Finally, we believe a proactive attitude towards continuous learning is one of the most invaluable skills to have when it comes to security. We want to help security champions continue down the security learning path too, so we do our best to offer advice and support for those interested in further sharpening their repertoire of security skills.
All sessions of the program are recorded and shared company-wide along with the presentation materials. In doing this we aim to build a compendium of security best practices over time that can reach the wider company eventually building up to a kind of security learning platform.
What’s in store for the future?
This is our first quarter running the program and, although things are still a little rough around the edges, we are happy with what we were able to achieve.
Going into the next quarter, we hope to expand the program to better cater to non-engineer roles, as well as welcoming external speakers and security experts to give talks to our champions! Next year we are also thinking of running a Hacktoberfest style Security awareness month, with Security Champions taking the lead in organizing exciting activities and events to promote security awareness across the company.
How can I find out more?
Thanks for reading our article, if you’re interested in the program and Mercari’s proactive approach to product security keep a lookout for our upcoming activities in Mercan!
The Mercari Security Team is also hiring, so if you’re interested in what we are doing and want to be part of it, check out the positions we’re looking for below.