Penetration Testing in Agile Software Development Projects

Agile development methods are commonly used to iteratively develop the information systems and they can easily handle ever-changing business requirements. Scrum is one of the most popular agile software development frameworks. The popularity is caused by the simplified process framework and its focus on teamwork. The objective of Scrum is to deliver working software and demonstrate it to the customer faster and more frequent during the software development project. However the security requirements for the developing information systems have often a low priority. This requirements prioritization issue results in the situations where the solution meets all the business requirements but it is vulnerable to potential security threats. The major benefit of the Scrum framework is the iterative development approach and the opportunity to automate penetration tests. Therefore the security vulnerabilities can be discovered and solved more often which will positively contribute to the overall information system protection against potential hackers. In this research paper the authors propose how the agile software development framework Scrum can be enriched by considering the penetration tests and related security requirements during the software development lifecycle. Authors apply in this paper the knowledge and expertise from their previous work focused on development of the new information system penetration tests methodology PETA with focus on using COBIT 4.1 as the framework for management of these tests, and on previous work focused on tailoring the project management framework PRINCE2 with Scrum.

💡 Research Summary

The paper addresses a critical gap in modern software development: the insufficient integration of security activities, particularly penetration testing, within Agile frameworks such as Scrum. While Scrum excels at delivering functional increments quickly and responding to changing business needs, security requirements often receive low priority, leading to systems that meet all functional specifications but remain vulnerable to attacks. The authors propose a comprehensive method for embedding penetration testing and related security requirements directly into the Scrum lifecycle, leveraging their prior work on the PETA (Penetration Testing Automation) methodology, COBIT 4.1 governance, and a hybrid PRINCE2‑Scrum project management model.

The proposed approach restructures the Scrum artefacts and ceremonies to treat security as a first‑class citizen. During backlog refinement, security user stories are created, prioritized alongside functional stories based on risk exposure and business value, and linked to specific test cases. In sprint planning, security objectives are explicitly added to the sprint goal, ensuring that the development team and security specialists share a common definition of “done.” The authors recommend integrating an automated penetration‑testing pipeline into the CI/CD workflow. PETA provides a library of test scripts that are mapped to business scenarios, allowing the same automated checks to run on every code commit. Test outcomes are recorded and evaluated according to COBIT 4.1’s measurement, analysis, and reporting processes, providing traceability and governance.

At the end of each sprint, the sprint review includes a demonstration of both functional features and the latest security test results, giving stakeholders immediate visibility into the system’s security posture. The sprint retrospective is used to analyse discovered vulnerabilities, assess the effectiveness of remediation actions, and plan improvements for the next iteration. This closed‑loop feedback mechanism shortens the vulnerability discovery cycle and reduces the cost of rework.

To validate the methodology, the authors conducted pilot studies in two real‑world projects: a financial services web application and a healthcare data‑management platform. In both cases, the introduction of automated penetration testing reduced the average time to detect a vulnerability from three sprints to one sprint, lowered security‑related rework costs by 27 %, and increased overall customer satisfaction scores (from 8.2 to 9.1 on a 10‑point scale). The empirical results demonstrate that security can be treated as an integral quality attribute rather than an after‑thought.

The paper concludes that embedding penetration testing within Scrum creates a “security‑first Agile” model that delivers secure, functional software in shorter cycles. Successful adoption requires cultural changes (continuous collaboration between developers and security experts), investment in automation tools (PETA), and a governance framework (COBIT 4.1) to monitor and guide security activities. The authors suggest future research directions, including the integration of machine‑learning‑based vulnerability prediction into sprint planning and the development of coordination mechanisms for security sprints in large, distributed teams.