Our accumulated experience in testing web applications allowed us to identify a pattern while examining the root cause of software security deficiencies and vulnerabilities: lack of agility in software development process.
So, what can be done to effectively manage this risk, apart from running continuous penetration testing on each software release?
Several would support that an agile approach will solve the problem. But even in mature software development teams where agile methods are applied, the problem of "security invalidated" code persists. The primary focus on producing functional code and the ongoing adaptation on customer/project needs while developing, leads to a lack of a security architecture or security implementation guidelines from the beginning of the project.
The verdict of an agile method is that it does not only continuously adapt to the progression of project requirements but it is also adaptive to allow the injection of other processes into the main SCRUM workflow. To cut the long story short, meet Secure SCRUM!
In Secure Scrum, security concerns are identified during the initial planning of the backlog and in the subsequent sprints. Security requirements elicit from user stories and are scheduled to be addressed during the respective sprint.
Our approach integrates our information security experts to your SCRUM team via multiple methods, such as secure coding training, offensive-defensive role-playing and secure sprint coaching. In that way, security relevance is made visible to all team members continuously.
Optionally, SpearIT provides a parallel maturity assessment of your SCRUM team via a customized OpenSAMM method.
Note that Secure SCRUM is neither an invention from scratch, nor a proprietary tool. Also, it is not a software engineering process. It is an effort to embrace the original SCRUM project management method in order to:
- maintain a secure development lifecycle
- prioritize resources to create a functional and secure product
- translate stakeholder requirements into security concepts
- continuously address software developing security requirements and manage risks