Secure SCRUM

Our accumulated experience in testing web applications allowed us to identify a pattern while examining the root cause of software security deficiencies and vulnerabilities: lack of agility in software development process.


So, what can be done to effectively manage this risk, apart from running continuous penetration testing on each software release?


Several would support that an agile approach will solve the problem. But even in mature software development teams where agile methods are applied, the problem of "security invalidated" code persists. The primary focus on producing functional code and the ongoing adaptation on customer/project needs while developing, leads to a lack of a security architecture or security implementation guidelines from the beginning of the project.

The verdict of an agile method is that it does not only continuously adapt to the progression of project requirements but it is also adaptive to allow the injection of other processes into the main SCRUM workflow. To cut the long story short, meet Secure SCRUM!

In Secure Scrum, security concerns are identified during the initial planning of the backlog and in the subsequent sprints. Security requirements elicit from user stories and are scheduled to be addressed during the respective sprint.

Our approach integrates our information security experts to your SCRUM team via multiple methods, such as secure coding training, offensive-defensive role-playing and secure sprint coaching. In that way, security relevance is made visible to all team members continuously.

Optionally, SpearIT provides a parallel maturity assessment of your SCRUM team via a customized OpenSAMM method.

Note that Secure SCRUM is neither an invention from scratch, nor a proprietary tool. Also, it is not a software engineering process. It is an effort to embrace the original SCRUM project management method in order to:

  • maintain a secure development lifecycle
  • prioritize resources to create a functional and secure product
  • translate stakeholder requirements into security concepts
  • continuously address software developing security requirements and manage risks

Secure SCRUM Coach

Your team is coached in real-time by our Secure SCRUM coach who is physically integrated with your development team.
With secure coding training & coaching on specific feature sprints, your team is ensured it agrees on a common understanding of the security requirements and challenges, setting the basis for effective implementation.


Security Skills Elevation

The ultimate goal is to develop an internal "Secure SCRUM Hero" who will be responsible for maintaining the Secure SCRUM approach in the team. Our real-time, on-the-job approach along with the offensive-defensive security training sessions, ensure that any hidden talents of security leadership in your team will arise.



ROSI Optimization

By addressing security concerns through the software development lifecycle in an agile way, your organization manages proactively risks related to software deficiencies, leading to a reduced attack surface, strong security posture while keeping security testing costs low.*

Secure SCRUM is not considered a replacement for third-party security testing.


Interested in taking software development security to the next level?

START HERE

Latest News

Ukrainian NBU BankID System preparing for EU recognition

SpearIT is pleased to announce that has undertaken the preliminary conformity assessment of Ukraine's BankID national electronic identification scheme, ...

Read More

Cypriot National eID becomes notified

SpearIT is pleased to announce that the electronic identification (eID) scheme of Cyprus has now been notified as LoA High...

Read More

Cypriot National eID becomes pre-notified

SpearIT is pleased to announce that the first Cypriot electronic identification (eID) scheme has now been pre-notified in the eIDAS Cooperation Network...

Read More