Secure Scrum and OpenSAMM for Secure Software Development

Pohl, Christoph; Hof, Hans-Joachim

Home // International Journal On Advances in Security, volume 9, numbers 1 and 2, 2016 // View article

Secure Scrum and OpenSAMM for Secure Software Development

Authors:
Christoph Pohl
Hans-Joachim Hof

Keywords: Scrum; Secure Scrum; Secure Software Develop- ment; SDL; OpenSAMM

Abstract:
Recent years saw serious attacks on software, e.g., the Heartbleed attack. Improving software security should be a main concern in all software development projects. Currently, Scrum is a popular agile software development method, used all around companies and universities. However, addressing IT security in Scrum projects is different to traditional security planning, which usually requires detailed planning in an initial planning phase. After this planning phase, only minor adjustments are expected. In contrast, Scrum is known for very little initial planning and for constant changes. This paper presents Secure Scrum, an extension to Scrum, that deals with the characteristics of security planning in Scrum. Secure Scrum is a variation of the Scrum framework that puts an emphasis on implementation of security related issues without the need of changing the underlying Scrum process or influencing team dynamics. To implement Secure Scrum in an organization, it helps to utiliz e a framework for strategic security planning. This paper uses the example of the OpenSAMM (Open Software Assurance Maturity Model) to show how Secure Scrum could be implemented in the field. A field test of Secure Scrum shows that the security level of software developed using Secure Scrum is higher then the security level of software developed using standard Scrum and that Secure Scrum is even suitable for use by non-security experts.

Pages: 25 to 35

Publication date: June 30, 2016

Published in: journal

ISSN: 1942-2636