Penetration Testing in Agile Software Development Projects

TL;DR

This paper explores integrating penetration testing and security considerations into Scrum, an agile development framework, to enhance security and address vulnerabilities during iterative software development.

Contribution

It proposes a method to incorporate security testing and requirements into Scrum, leveraging existing penetration testing methodologies and project management frameworks.

Findings

Enhanced security through automated penetration tests in Scrum

Improved vulnerability detection during iterative development

Framework integration for security requirements management

Abstract

Agile development methods are commonly used to iteratively develop the information systems and they can easily handle ever-changing business requirements. Scrum is one of the most popular agile software development frameworks. The popularity is caused by the simplified process framework and its focus on teamwork. The objective of Scrum is to deliver working software and demonstrate it to the customer faster and more frequent during the software development project. However the security requirements for the developing information systems have often a low priority. This requirements prioritization issue results in the situations where the solution meets all the business requirements but it is vulnerable to potential security threats. The major benefit of the Scrum framework is the iterative development approach and the opportunity to automate penetration tests. Therefore the security vulnerabilities can be discovered and solved more often which will positively contribute to the overall information system protection against potential hackers. In this research paper the authors propose how the agile software development framework Scrum can be enriched by considering the penetration tests and related security requirements during the software development lifecycle. Authors apply in this paper the knowledge and expertise from their previous work focused on development of the new information system penetration tests methodology PETA with focus on using COBIT 4.1 as the framework for management of these tests, and on previous work focused on tailoring the project management framework PRINCE2 with Scrum.