There is a thin line between a healthy and an unhealthy security champions role. Being expected to do all the security work might be as bad and frustrating as having no voice and mandate at all. This deep dive into the Advocate role sets clear boundaries and expectations for a healthy security champion role.

Who is the Advocate?

The Advocate is one of six roles within the AppSec Ownership Model and refers to:

A developer who’s interested in security and has deepened their security knowledge.

A security champions program is a decentralized approach to extend your central AppSec team with people embedded in development teams that advocate for security and act as a bridge between teams. Anyway, we should never forget that they are mainly developers, not security staff.

What AppSec domains does the Advocate own?

As the Advocate, you focus on the two AppSec domains you already own as an Executor, plus one additional domain:

Secure Design | Drive threat modeling exercises and ask security-related questions.

This domain is already one of your main focus areas as developer, but as Advocate you are expected to wear the security head in every design-related action and support your team with your security expertise.

Secure Coding | Spread security knowledge within the team and pay special attention to code reviews and the security-related test cases.

I can’t stress enough that you don’t need to do everybody’s security work. Don’t write everyone’s tests, but point out if security-related test cases are missing. As the Advocate, your main task is awareness and support, not compensation for other people’s bad habits.

Security Culture | Drive secure behavior within the team by being a role model and advocating for security.

Everyone can shape culture, but as the Advocate, your passion for security naturally serves this purpose. Cultural change is all about behavior and with you being a role model, you can inspire your peers to improve for themselves.

What AppSec domains does the Advocate support?

Being the Advocate for security comes with additional responsibilities and opportunities to shape your company’s AppSec program. While you don’t own every single domain, you can contribute to all of them.

Security Tooling | Provide valuable feedback on usability and raise recurring needs.

Security Strategy | Provide feedback and insights from day-to-day development to guide improvements based on real-world needs.

Your AppSec lead needs your feedback to shape the AppSec program in a direction that actually serves the developers. As you are still part of the development team, you’re best positioned to ensure they have the right context to decide which tools to provide and which strategy to follow.

Incident Readiness | Act as a point of contact for incident triage within the team and help identify the right people to support technical analysis.

When things go south, you are maybe best suited as support for the AppSec team to figure out what is going on and make sure your product is safe again soon. That doesn’t mean you’re meant to lead the process.

Vulnerability Management | Support your project leader and highlight recurring patterns for proactive improvement.

You can support your project leaders when they don’t know how risky certain issues are or how much effort it will take to remediate them. You are invited to look for patterns and suggest improvements in and across teams.

Now that you see the bigger picture, let’s make accountability explicit.

What is the Advocate accountable for?

Here’s what you can hold yourself accountable for:

• Supporting developers in applying secure practices and improving their skills.

• Bringing security topics into daily work and team discussions.

• Facilitating basic threat modeling and secure design thinking.

• Identifying security gaps that need central guidance or structural fixes.

• Providing input on the usability of tools and effectiveness of guidance.

• Sharing team-level insights on recurring needs and repeated issues with the AppSec lead.

View this list as an all-you-can-eat menu. These are areas where you can do more. You can start small with improving your own security-related skills and build a strong security community together with other Advocates. Nobody expects you to know and solve it all on your first day.

What is the Advocate NOT accountable for?

Here’s what you are explicitly not expected to do:

• Taking over security responsibilities from other team members.

• Replacing the project leader in planning or prioritization.

• Implementing or enforcing central security measures.

• Making policy decisions or setting global standards.

• Leading incident response independently without coordination.

• Acting as permanent substitutes for the AppSec lead.

While the first list was the tasty menu you could choose from, this list is the ‘don’t eat that shit’ list. Eating toxic mushrooms won’t serve you well. If your security champions program expects those things, push back hard. That’s the path to an unhealthy security champion role you don’t want to carry.

Who does the Advocate escalate to?

As the Advocate, there are two roles you can escalate to:

Gatekeeper (e.g., project leader) | For team-internal issues that block secure development, e.g. missing capacity, unclear ownership, or lack of priority.

This is your main escalation path as a developer anyway, so you can still use it to escalate security-related issues within your daily work and team.

Owner (e.g., AppSec lead) | For issues that require structural support, central guidance, or cannot be resolved within the team, as well as any conflicts, they may not solve locally.

The Owner should have your back and is your central point of contact when things can’t be solved locally. They should be in contact with the executive leadership, so they are can further escalate things if necessary.

In emergency cases, you as the Advocate may help coordinate local response efforts or step in when the Owner is unavailable, based on predefined rules. However, this is not your primary responsibility and should be clearly scoped.

Finally, you can always escalate to your security champion community. You are not fighting and advocating alone. You hopefully have your community and network to support your local efforts, learn from each other and have fun.