Managing security work in scrum: Tensions and challenges

We advocate a change of perspective in the question of agile secure software development and analyze what makes it difficult to address security needs in Scrum. The literature focuses on the integration of security activities into agile development processes. However, detailed prescriptions for security work would be misplaced in a generic management framework like Scrum. Therefore we take a closer look at the tensions between Scrums way of organizing work and the characteristics of security requirements. Our previous work suggests that Scrum works well as a management model and security development requires iterations as in agile development, yet Scrum teams can fail to address security needs due to their low visibility, competing objectives, and Scrums division of labor. Tensions ar ise as Scrum is optimized to fulfill explicit requirements and maximize business value, whereas security is often an implicit requirement with a different value proposition, which nevertheless requires substantial work and cannot be addressed by bug fixing or quality assurance alone. As a consequence, promising research directions are the reflective discovery of security needs, the valuation and prioritization of security work, collaboration between Scrum teams and security experts, and verification and feedback mechanisms for security.