Nowadays, the use of agile software development methods like Scrum is common
in industry and academia. Considering the current attacking landscape, it is
clear that developing secure software should be a main concern in all software
development projects. In traditional software projects, security issues require
detailed planning in an initial planning phase, typically resulting in a
detailed security analysis (e.g., threat and risk analysis), a security
architecture, and instructions for security implementation (e.g., specification
of key sizes and cryptographic algorithms to use). Agile software development
methods like Scrum are known for reducing the initial planning phases (e.g.,
sprint 0 in Scrum) and for focusing more on producing running code. Scrum is
also known for allowing fast adaption of the emerging software to changes of
customer wishes. For security, this means that it is likely that there are no
detailed security architecture or security implementation instructions from the
start of the project. It also means that a lot of design decisions will be made
during the runtime of the project. Hence, to address security in Scrum, it is
necessary to consider security issues throughout the whole software development
process. Secure Scrum is a variation of the Scrum framework with special focus
on the development of secure software throughout the whole software development
process. It puts emphasis on implementation of security related issues without
the need of changing the underlying Scrum process or influencing team dynamics.
Secure Scrum allows even non- security experts to spot security issues, to
implement security features, and to verify implementations. A field test of
Secure Scrum shows that the security level of software developed using Secure
Scrum is higher then the security level of software developed using standard
Scrum.Comment: The Ninth International Conference on Emerging Security Information,
Systems and Technologies - SECURWARE 2015, Venice, Italy, 201
