Security in Scrum
How do we build Secure products in Scrum? In a world where the development team deliver value every Sprint, it is hard to see how to ensure products are secure and still delivered every Sprint.
People have tried different approaches over time, with varying degrees of success.
Avoid:
- Fix security issues as defects after the implementation
- Hardening Sprints (which is just a formal version of fixing security issues later)
- Special Teams - where the special team take care of the security work. Like all special teams in a Agile world, this team will likely become the bottleneck to frequent releases.
Try:
- Special Team members/experts become advisers or coaches to teams trying to improve the security of their feature work. This scales better than a special team, because we’re spreading the knowledge over more people.
- Automate - for classes of problems that come up repeatedly, use automated tools to spot the problems. This is not a panacea, it merely reduces the load so that the experts can focus on more important work.
- Definition of Done - Add the security requirements to Done. Now development team members are expected to check the specific requirement every time they declare an item as Done. Works well with automation, and experts become advisers.
- Acceptance Criteria - when team members meet to discuss other acceptance criteria (hint: BDD), they also review their Definition of Done, they’re reminded of security requirements. Based on this conversation, they write the acceptance criteria for that feature.
- Separate Product Backlog Items - if some security needs are large enough, they might become their own Product Backlog Item. Caveat: the risk here is that product can’t be released until key security features are implemented, contravening the Agile principle of “__Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.”
- Build into all Scrum events - ask questions that relate to security in Sprint Planning; Sprint Review; Sprint Retrospective and Daily Scrum.
Everything mentioned about security is also applicable to any highly-regulated environment where the team are required to meet a compliance goal.
Scrum Anti-Patterns: The Hardening Sprint Scrum by Example – Stuck Waiting for Other Teams (Special Teams and their effect) Scrum Development Team – Who’s In It?
Resource Links
- Continuous Compliance - Continuous Delivery with Compliance - DevSecOps — How Security Can Be Assimilated Into Scrum - DevSecOps Manifesto and What is DevSecOps?
- A Guide to Threat Modelling for Developers - Secure software design, little and often
- Managing Security Work in Scrum: Tensions and Challenges [PDF Warning] - Product Security Risk Management in Agile Product Management [PDF Warning] - SECURE SCRUM – INTEGRATING SECURITY WITH AGILE and the paper it was derived from: Secure Scrum: Development of Secure Software with Scrum [PDF Warning]