Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Managing security work in scrum: Tensions and challenges

: Türpe, Sven; Poller, Andreas

Fulltext urn:nbn:de:0011-n-4705390 (205 KByte PDF)
MD5 Fingerprint: 3724351ea2e004700b956de155ac8467
Created on: 4.11.2017

Jaatun, Martin Gilje:
SecSE 2017, International Workshop on Secure Software Engineering in DevOps and Agile Development. Proceedings. Online resource : Co-located with the 22nd European Symposium on Research in Computer Security (ESORICS 2017); Oslo, Norway, September 14, 2017
Oslo, 2017 (CEUR Workshop Proceedings 1977)
International Workshop on Secure Software Engineering in DevOps and Agile Development (SecSE) <2017, Oslo>
European Symposium on Research in Computer Security (ESORICS) <22, 2017, Oslo>
Conference Paper, Electronic Publication
Fraunhofer SIT ()
Scrum; security requirements; security work; management; agile development; software security

We advocate a change of perspective in the question of agile secure software development and analyze what makes it difficult to address security needs in Scrum. The literature focuses on the integration of security activities into agile development processes. However, detailed prescriptions for security work would be misplaced in a generic management framework like Scrum. Therefore we take a closer look at the tensions between Scrums way of organizing work and the characteristics of security requirements. Our previous work suggests that Scrum works well as a management model and security development requires iterations as in agile development, yet Scrum teams can fail to address security needs due to their low visibility, competing objectives, and Scrums division of labor. Tensions ar ise as Scrum is optimized to fulfill explicit requirements and maximize business value, whereas security is often an implicit requirement with a different value proposition, which nevertheless requires substantial work and cannot be addressed by bug fixing or quality assurance alone. As a consequence, promising research directions are the reflective discovery of security needs, the valuation and prioritization of security work, collaboration between Scrum teams and security experts, and verification and feedback mechanisms for security.