My employer has a security champions forum. If you decide to become a security champion, then there are some mandatory training courses (across the spectrum of security: secure code, threat modelling, data protection, etc). After that there are regular other courses you can choose to go on, and regular meetings and surgeries where you can bring talks, questions, and any discussion points.

The aim of the security champions is to bring this knowledge and awareness of security issues to our teams. Security champions are not responsible for the security in their team/dept, they champion it.

I recently completed the mandatory training, and now want to expand my knowledge by learning from others.

I have a few goals I want to achieve as part of this role, and I realised this would be a good thing to combine with a testing tour, which is something I’ve wanted to do ever since I was part of Lisi’s tour last year:

Lisi was kind enough to spend some time talking to me to help put this together, sharing what she found helped her before she embarked on her tour and asking questions to help me flesh out my goals a little. I didn’t want to be too rigid, but I also wanted some goals so I wasn’t completely floating around. The goals and exit criteria are subject to change, but I’m feeling pretty excited about starting to learn/pair with people.



  • To become more familiar with security and data protection issues (for my own education/interest), and how to communicate those to people who are less familiar (especially in non-developer/coder language)
  • To start to bridge the gap between exploratory testing and penetration/security testing, learning the language of the security community to help explain testing methodology to non-testers when discussing how to find security issues. 


  • To become more comfortable reading code. This will help with talking to developers about secure coding practices and with reviewing unit tests (along with a bunch of other things, but these two are my main goals).


  • Spending time with different people in different areas of the testing and security communities will help me gather examples, and language to articulate security issues and exploratory testing (especially tools-based exploratory testing).

Exit criteria

  • Security as an explicit part of requirements when shaping tickets
  • A talk on what I’ve learned (internal and/or external). Talk topic subject to what comes out of the tour.

Other things I expect to come out of this tour:

  • Meeting new people, learning new things
  • Sharing this knowledge with others
  • Calendar and technology woes
  • Lots of imposter syndrome
  • Lots of note taking
  • Getting better at pairing and facilitation
  • Lots of fun

I plan to pair with at least 10 people, spread across the communities (I imagine I’ll actually be pairing with closer to 20, but start small and all that). I’ll be blocking out 90mins for each session. I’m aiming to do at least one a month, time permitting.

For the methods, I like Strong Style Pairing AKA ‘I have an idea, take the keyboard’ as described by Maaret here:

It’s an odd one to get used to, but it’s really good when you get into the flow of it (get into the groove of it?).

I’ll be pairing remotely, ideally using zoom, as it has good screensharing functionality. While I’m also more than happy to pair irl when we’re in the same place, remote pairing is good for people who are further away.

I’ll be sharing the outcomes of the pairing ‘stops’ on my tour here (after confirming the other person is okay with what’s being shared), so people can learn along with me, and hopefully provide a decent set of resources for people. Putting this blogpost out will also hold me accountable to you, the readers, as I’ve said I’ll do it, so I have to.

I have a few names already, but if you want to be involved at some point, email me at, we’ll set something up!