Secure SCRUM

Our accumulated experience in testing web applications allowed us to identify a pattern while examining the root cause of software security deficiencies and vulnerabilities: lack of agility in software development process.

So, what can be done to effectively manage this risk, apart from running continuous penetration testing on each software release?

Several would support that an agile approach will solve the problem. But even in mature software development teams where agile methods are applied, the problem of "security invalidated" code persists. The primary focus on producing functional code and the ongoing adaptation on customer/project needs while developing, leads to a lack of a security architecture or security implementation guidelines from the beginning of the project.

The verdict of an agile method is that it does not only continuously adapt to the progression of project requirements but it is also adaptive to allow the injection of other processes into the main SCRUM workflow. To cut the long story short, meet Secure SCRUM!

In Secure Scrum, security concerns are identified during the initial planning of the backlog and in the subsequent sprints. Security requirements elicit from user stories and are scheduled to be addressed during the respective sprint.

Our approach integrates our information security experts to your SCRUM team via multiple methods, such as secure coding training, offensive-defensive role-playing and secure sprint coaching. In that way, security relevance is made visible to all team members continuously.

Optionally, SpearIT provides a parallel maturity assessment of your SCRUM team via a customized OpenSAMM method.

Note that Secure SCRUM is neither an invention from scratch, nor a proprietary tool. Also, it is not a software engineering process. It is an effort to embrace the original SCRUM project management method in order to:

  • maintain a secure development lifecycle
  • prioritize resources to create a functional and secure product
  • translate stakeholder requirements into security concepts
  • continuously address software developing security requirements and manage risks

Secure SCRUM Coach

Your team is coached in real-time by our Secure SCRUM coach who is physically integrated with your development team.
With secure coding training & coaching on specific feature sprints, your team is ensured it agrees on a common understanding of the security requirements and challenges, setting the basis for effective implementation.

Security Skills Elevation

The ultimate goal is to develop an internal "Secure SCRUM Hero" who will be responsible for maintaining the Secure SCRUM approach in the team. Our real-time, on-the-job approach along with the offensive-defensive security training sessions, ensure that any hidden talents of security leadership in your team will arise.

ROSI Optimization

By addressing security concerns through the software development lifecycle in an agile way, your organization manages proactively risks related to software deficiencies, leading to a reduced attack surface, strong security posture while keeping security testing costs low.*

Secure SCRUM is not considered a replacement for third-party security testing.

Interested in taking software development security to the next level?


Latest News

EU NIS Directive Receives Update Proposal

On 6 December 2020, the EU Commission published its proposal for a revision of the Directive on Security of Network and Information Systems (EU NIS Directive)...

Read More

EU eID Schemes Landscape

Electronic Identification (eID) is a digital solution for the identity proofing of citizens or organizations achieving mutual recognition of electronic identification schemes across borders and increases citizens confidence in the online world...
Read More

Digital transformation and the EU NIS Directive

There is an observed ongoing movement towards digital transformation during the very last years, not only in private and enterprise environments but also in critical national infrastructure operators...
Read More