Key Considerations for Application Security & Agile SCRUM Team Composition

Before going into the SCRUM team composition in relation with application security, it can be worth while knowing what are key aspects of secured application development practices:

  1. Security awareness training
  2. Threat modeling
  3. Secured coding practices
  4. Secured code reviews
  5. Security testing

Achieving the state of secured application development practices is one of the toughest challenges for most SCRUM MASTERS to crack. For achieving secured application development, different alternatives could be explored to build the team, depending on software development methodology including agile and non agile methodologies. For agile development based on SCRUM model, following alternatives can be explored:

  • Security Officer/Adviser/Architect: The role of the security adviser is to counsel various SCRUM teams to consider aspects of security during requirement analysis, design & development and testing phases. His key contribution lies in the doing threat modeling for every sprint (& releases) where he helps team identify threats, vulnerabilities and come up with remediation measures (controls). He also helps identifies various tools & frameworks from time-to-time to perform security related analysis. He also takes part in regular security related training for various different SCRUM teams from time-to-time. Following can be different considerations for considering security architect for SCRUM teams:
    1. Security adviser for each team: For a larger SCRUM team consisting of 20 or more developers, this is a viable option. There should be minimum one person in the team who can guide team on different areas as mentioned above.
    2. Security adviser for a set of teams: In case there are SCRUM teams of average size 5-6 developers, it may be a good idea to have one security adviser for 3-4 teams
  • Security Testing Team Members: Every SCRUM team can have at least one person aware of security testing methodologies and framework. He can take part in writing security related test case scenarios and execute those tests as required. The security adviser/architect helps the security related professional to identify tools & frameworks to do his tasks from time-to-time.
Ajitesh Kumar

I have been recently working in the area of Data analytics including Data Science and Machine Learning / Deep Learning. I am also passionate about different technologies including programming languages such as Java/JEE, Javascript, Python, R, Julia, etc, and technologies such as Blockchain, mobile computing, cloud-native technologies, application security, cloud computing platforms, big data, etc. I would love to connect with you on Linkedin. Check out my latest book titled as First Principles Thinking: Building winning products using first principles thinking.

Recent Posts

Agentic Reasoning Design Patterns in AI: Examples

In recent years, artificial intelligence (AI) has evolved to include more sophisticated and capable agents,…

1 month ago

LLMs for Adaptive Learning & Personalized Education

Adaptive learning helps in tailoring learning experiences to fit the unique needs of each student.…

2 months ago

Sparse Mixture of Experts (MoE) Models: Examples

With the increasing demand for more powerful machine learning (ML) systems that can handle diverse…

2 months ago

Anxiety Disorder Detection & Machine Learning Techniques

Anxiety is a common mental health condition that affects millions of people around the world.…

2 months ago

Confounder Features & Machine Learning Models: Examples

In machine learning, confounder features or variables can significantly affect the accuracy and validity of…

2 months ago

Credit Card Fraud Detection & Machine Learning

Last updated: 26 Sept, 2024 Credit card fraud detection is a major concern for credit…

2 months ago