LKQ inspires a security-first culture with an effective security champions program
With a security champions program running and Invicti solutions in place for the last 4+ years, we have a very solid partnership between IT and security. The work of communicating security objectives in a reasonable, business-enabling manner is top of mind.
—Mike Craigue, Senior Director of AppSec and IAM, LKQ Corp
With over 1,600 locations in 25 countries, LKQ Corp is a leading provider of alternative and specialty automotive parts for repairing and accessorizing vehicles. When the company was founded in 1998, LKQ jumped at the opportunity to provide high-value and high-quality alternatives for consumers browsing automotive replacement parts. Today, the auto parts and logistics company has an annual revenue that tops $13 billion, servicing customers in North America and Europe.
Offering a wide selection of reliable discount auto parts like engines, transmissions, and components, the LKQ team experienced rapid growth that translated into a complex and diverse technology stack, leaving them with over 300 websites to secure. Because their digital environment is so complex, with varying business needs, LKQ selected Invicti as its DAST solution.
One of the ways that LKQ decided to embed security activities across their entire application development teams was through a security champions program. Facing challenges in securing a large digital environment and in encouraging security adoption, LKQ was able to establish an effective program that elevates their application security efforts and improves cross-functional coverage.
Building an impactful security champions program
Although they previously had an informal program running within the organization, the LKQ team set out to establish a formal security champions program in 2019. One of the biggest challenges they faced was balancing the value of security-focused work with the business’s need for product innovation. They knew a security champions program would help them broaden awareness of application security needs throughout the organization while also enabling knowledge sharing to encourage secure development and best practices.
We did not limit participation in our security champions program to software developers; web application security requires a large ecosystem of skill sets to ensure the appropriate level of risk management.
—Mike Craigue, Senior Director of AppSec and IAM, LKQ Corp
To broaden the available knowledge pool, one of their missions was to encourage more than just developers to join the program. Today, the security champions program is composed of dozens of employees from various roles, including software development, IT architecture, business analysis, and IT infrastructure.
Surveying their threat landscape
In the early days of the program, LKQ started by evaluating and incorporating application security best practices from OWASP’s Software Assurance Maturity Model (OpenSAMM). Once they had those foundational practices established, they converged several enterprise data sources to determine the risk profiles for their 300-plus websites. Those risk profiles included information like revenue share, payment processing, and personal data, providing invaluable insight into potentially high-risk areas in their threat landscape.
Next, they began meeting monthly in two separate groups: European and North American security champions from various departments and roles. The monthly meetings—which sometimes include internal or external guest speakers—cover a wide range of topics that can help improve the security posture of the entire organization. Those topics include (but are not limited to) secure coding techniques, new attack patterns, risk management, and important metrics everyone should be aware of in a security-minded culture.
Encouraging a security-first mindset for all
With their security champions program working as needed, LKQ can now achieve more with much less friction. One of the key benefits they’ve seen is improved cross-functional support, whether that means ad-hoc requests for dynamic scans of brand new sites, or onboarding new applications for dynamic application security testing (DAST) and static application security testing (SAST).
Especially in the early days of the program, we sought to provide a “white-glove” service to anyone seeking help with an application security topic so that we could help encourage wider adoption. We tried to go above and beyond internal customer expectations by being helpful, approachable, and empathetic. FAQs and documentation of standard operating procedures are essential, but there is no substitute for human interaction and guided help that is customized to the situation.
—Mike Craigue, Senior Director of AppSec and IAM, LKQ Corp
An especially important benefit they’ve seen is the ability to provide a human, customized approach to security, encouraging others to adopt the same security-first mindset. By offering the program openly to the organization, they’re fostering an environment that supports communication and collaboration around critical security issues. Now, the company’s champions and other employees have a place to go to for immediate help, with guidance available from their peers and from the central security organization.
Continuous coverage with champions at the helm
An effective security champions program can help organizations close gaps in coverage, solve cross-functional pain points, and improve security from the top down. With Invicti’s capable and reliable testing tools backing that security-minded culture, the LKQ Corp team is seeing these benefits regularly, with a more solid partnership between security and IT as the lasting result.
The challenges we face are increasing in complexity every day because of the ingenuity of both independent and organized adversaries. Our work is never complete, so we can always find ways to do a better job, and our security champions program is enabling this for us.
—Mike Craigue, Senior Director of AppSec and IAM, LKQ Corp
They’re able to communicate more impactfully about security objectives without stifling business needs or innovation. And because attackers never sleep, the security champions program has laid a strong foundation for an environment that allows them to stay one step ahead of those relentless threats and continue serving customers worldwide.