Security-Focused Agile Development | Vulnerability SLAs
Build security into agile sprints with shift-left practices. GitScrum tracks vulnerabilities by CVSS severity with automated workflow management.
9 min read
Security can't be an afterthought. GitScrum helps teams integrate security into agile workflows with security task tracking, vulnerability management, and process integration.
Security in Agile
Shift-Left Security
SECURITY THROUGHOUT DEVELOPMENT:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β TRADITIONAL (Shift-Right): β
β β
β Design β Develop β Test β Security Review β Deploy β
β β β
β "We found 47 vulnerabilities" β
β "Release delayed 3 weeks" β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β SHIFT-LEFT (Integrated): β
β β
β Security Security Security Security β
β β β β β β
β Design β Develop β Test β Deploy β
β β
β AT EACH PHASE: β
β β
β Design: β
β β’ Threat modeling β
β β’ Security requirements β
β β’ Architecture review β
β β
β Develop: β
β β’ Secure coding practices β
β β’ Static analysis (SAST) β
β β’ Dependency scanning β
β β’ Code review includes security β
β β
β Test: β
β β’ Dynamic analysis (DAST) β
β β’ Security test cases β
β β’ Penetration testing β
β β
β Deploy: β
β β’ Configuration scanning β
β β’ Runtime protection β
β β’ Monitoring and alerting β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Sprint Integration
SECURITY IN SPRINT RHYTHM:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β SPRINT ALLOCATION: β
β β
β [ββββββββββββββββββββββββββββββββββββββ] β
β β Features 60% β Bugs 15% β Security 15% β Tech Debt 10%β
β β
β SECURITY WORK TYPES: β
β β
β PROACTIVE: β
β β’ Security features (2FA, encryption) β
β β’ Security improvements β
β β’ Hardening tasks β
β β’ Training/learning β
β β
β REACTIVE: β
β β’ Vulnerability remediation β
β β’ Incident response β
β β’ Audit findings β
β β’ Dependency updates β
β β
β IN SPRINT CEREMONIES: β
β β
β Backlog Refinement: β
β β’ Security review of upcoming features β
β β’ "What could go wrong?" β
β β
β Sprint Planning: β
β β’ Include security tasks β
β β’ Security acceptance criteria β
β β
β Daily Standup: β
β β’ Security blockers surfaced β
β β
β Retrospective: β
β β’ Security incidents reviewed β
β β’ Process improvements β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Secure Development
Secure Coding Practices
DEVELOPER SECURITY CHECKLIST:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β INPUT VALIDATION: β
β β All user input validated β
β β Allowlist validation (not blocklist) β
β β Parameterized queries (no SQL injection) β
β β Output encoding (no XSS) β
β β
β AUTHENTICATION: β
β β Strong password requirements β
β β Rate limiting on auth endpoints β
β β Secure session management β
β β Multi-factor authentication option β
β β
β AUTHORIZATION: β
β β Access control on every endpoint β
β β Principle of least privilege β
β β Server-side enforcement β
β β Tested for privilege escalation β
β β
β DATA PROTECTION: β
β β Sensitive data encrypted at rest β
β β TLS for data in transit β
β β No secrets in code β
β β PII handling compliant β
β β
β ERROR HANDLING: β
β β Generic error messages to users β
β β Detailed errors to logs only β
β β No stack traces exposed β
β β
β LOGGING: β
β β Security events logged β
β β No sensitive data in logs β
β β Tamper-evident logging β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Code Review
SECURITY REVIEW PROCESS:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β EVERY CODE REVIEW SHOULD CHECK: β
β β
β INJECTION RISKS: β
β β’ User input used in queries? β
β β’ Dynamic code execution? β
β β’ Command execution with user input? β
β β
β ACCESS CONTROL: β
β β’ Authorization checked? β
β β’ Can users access others' data? β
β β’ Admin functions protected? β
β β
β SECRETS: β
β β’ Hardcoded credentials? β
β β’ API keys in code? β
β β’ Environment-specific secrets? β
β β
β DATA HANDLING: β
β β’ Sensitive data exposed? β
β β’ Proper encryption used? β
β β’ Data retained too long? β
β β
β SECURITY-SENSITIVE CHANGES (Extra Review): β
β β’ Authentication/authorization changes β
β β’ Cryptography changes β
β β’ Payment processing β
β β’ User data handling β
β β’ New external integrations β
β β
β β Tag as "security-review" in GitScrum β
β β Require security-trained reviewer β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Vulnerability Management
Vulnerability Workflow
VULNERABILITY HANDLING:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β DISCOVERY: β
β Sources: SAST, DAST, dependency scan, pen test, bug bountyβ
β β
β TRIAGE: β
β Assess severity and create GitScrum task β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β π΄ VULNERABILITY: SQL Injection in /api/search ββ
β β ββ
β β Severity: Critical ββ
β β CVSS: 9.8 ββ
β β Source: Penetration test ββ
β β Affected: All users ββ
β β Discovered: 2024-01-15 ββ
β β ββ
β β SLA: 24 hours ββ
β β Assignee: @alex ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β SEVERITY SLAs: β
β Critical (9.0-10.0): 24 hours β
β High (7.0-8.9): 7 days β
β Medium (4.0-6.9): 30 days β
β Low (0.1-3.9): 90 days β
β β
β WORKFLOW: β
β New β Triaged β In Progress β Fixed β Verified β Closed β
β β
β VERIFICATION: β
β β’ Retest after fix β
β β’ Confirm vulnerability resolved β
β β’ Check for regression β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Dependency Security
DEPENDENCY VULNERABILITY MANAGEMENT:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β AUTOMATED SCANNING: β
β β’ Dependabot / Snyk / OWASP Dependency Check β
β β’ Run in CI on every build β
β β’ Block builds on critical/high severity β
β β
β SCAN RESULTS EXAMPLE: β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β Dependency Vulnerabilities ββ
β β ββ
β β π΄ Critical: lodash@4.17.20 (CVE-2021-23337) ββ
β β Fix: Upgrade to 4.17.21 ββ
β β ββ
β β π High: axios@0.21.0 (CVE-2021-3749) ββ
β β Fix: Upgrade to 0.21.2 ββ
β β ββ
β β π‘ Medium: 3 vulnerabilities ββ
β β βͺ Low: 7 vulnerabilities ββ
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β PROCESS: β
β β
β Daily: Review new critical/high β
β Weekly: Update dependencies with fixes β
β Monthly: Full dependency audit β
β Quarterly: Remove unused dependencies β
β β
β GITSCRUM INTEGRATION: β
β β’ Auto-create tasks for critical vulnerabilities β
β β’ Track remediation progress β
β β’ Report on vulnerability trends β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Threat Modeling
Threat Model Process
THREAT MODELING IN DESIGN:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β WHEN TO THREAT MODEL: β
β β’ New feature with security implications β
β β’ Changes to authentication/authorization β
β β’ New data flows β
β β’ New external integrations β
β β’ Major architecture changes β
β β
β STRIDE FRAMEWORK: β
β β
β For each component/flow, ask: β
β β
β Spoofing: β
β "Can someone pretend to be something they're not?" β
β β
β Tampering: β
β "Can someone modify data they shouldn't?" β
β β
β Repudiation: β
β "Can someone deny they did something?" β
β β
β Information Disclosure: β
β "Can sensitive data be exposed?" β
β β
β Denial of Service: β
β "Can someone make this unavailable?" β
β β
β Elevation of Privilege: β
β "Can someone gain unauthorized access?" β
β β
β OUTPUT: β
β β’ Identified threats β
β β’ Risk rating for each β
β β’ Mitigations (β security stories in backlog) β
β β’ Acceptance criteria with security checks β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Stories
WRITING SECURITY-FOCUSED STORIES:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β SECURITY FEATURE STORY: β
β β
β Title: Implement rate limiting on login endpoint β
β β
β As a: Security team β
β I want: Rate limiting on login attempts β
β So that: Brute force attacks are prevented β
β β
β Acceptance Criteria: β
β β 5 failed attempts locks account for 15 minutes β
β β Lockout logged with IP and timestamp β
β β User notified of lockout β
β β Admin can unlock accounts β
β β Rate limit cannot be bypassed via API β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
β SECURITY ACCEPTANCE CRITERIA (Any Story): β
β β
β Title: User profile editing β
β β
β Functional Criteria: β
β β User can edit name, email, avatar β
β β Changes save successfully β
β β
β Security Criteria: β
β β User can only edit their own profile β
β β Input validated (length, format) β
β β Email change requires verification β
β β Profile changes logged for audit β
β β Rate limited to prevent abuse β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Security Culture
Team Security Awareness
BUILDING SECURITY CULTURE:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β TRAINING: β
β β’ Onboarding security training for all devs β
β β’ Annual security refresher β
β β’ Training after incidents β
β β’ OWASP Top 10 awareness β
β β
β KNOWLEDGE SHARING: β
β β’ Security champions in each team β
β β’ Monthly security topics in team meetings β
β β’ Share learnings from incidents β
β β’ Security office hours β
β β
β INCENTIVES: β
β β’ Recognize security improvements β
β β’ Bug bounty for internal findings β
β β’ Include security in perf reviews β
β β
β MAKE IT EASY: β
β β’ Automated security tools β
β β’ Clear security guidelines β
β β’ Secure defaults in templates β
β β’ Security review checklists β
β β
β BLAMELESS CULTURE: β
β β’ Security issues are learning opportunities β
β β’ Focus on process improvement β
β β’ No punishment for reporting issues β
β β’ Celebrate finding bugs before production β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ