Before going into the SCRUM team composition in relation with application security, it can be worth while knowing what are key aspects of secured application development practices:
- Security awareness training
- Threat modeling
- Secured coding practices
- Secured code reviews
- Security testing
Achieving the state of secured application development practices is one of the toughest challenges for most SCRUM MASTERS to crack. For achieving secured application development, different alternatives could be explored to build the team, depending on software development methodology including agile and non agile methodologies. For agile development based on SCRUM model, following alternatives can be explored:
- Security Officer/Adviser/Architect: The role of the security adviser is to counsel various SCRUM teams to consider aspects of security during requirement analysis, design & development and testing phases. His key contribution lies in the doing threat modeling for every sprint (& releases) where he helps team identify threats, vulnerabilities and come up with remediation measures (controls). He also helps identifies various tools & frameworks from time-to-time to perform security related analysis. He also takes part in regular security related training for various different SCRUM teams from time-to-time. Following can be different considerations for considering security architect for SCRUM teams:
- Security adviser for each team: For a larger SCRUM team consisting of 20 or more developers, this is a viable option. There should be minimum one person in the team who can guide team on different areas as mentioned above.
- Security adviser for a set of teams: In case there are SCRUM teams of average size 5-6 developers, it may be a good idea to have one security adviser for 3-4 teams
- Security Testing Team Members: Every SCRUM team can have at least one person aware of security testing methodologies and framework. He can take part in writing security related test case scenarios and execute those tests as required. The security adviser/architect helps the security related professional to identify tools & frameworks to do his tasks from time-to-time.