Scrum, Security and Quality Assurance

Daniele Davi'
6 min readJul 4, 2022

In this article I will focus on Quality Assurance in Scrum Applied to Safety Critical Software.

Traditionally, safety-critical projects have been developed using the waterfall process. However, this makes it costly and challenging to incrementally introduce new features and to certify the modified product for use.

One of the many aspects of Scrum and similar approaches is that quality assurance is embedded in the process itself, and not explicitly documented. A Scrum team is supposed to be self-sustained, not having to rely on an external quality management or assurance function like a separate QA department.

Photo by Sigmund on Unsplash

First of all, a Scrum project enforces visibility and has frequent evaluation of status, progress and problems, which is used to re-plan and improve the project based on the most recent and updated knowledge.
Scrum also has dedicated activities for managing quality issues with both the product under development and the process itself; each short work- period, or sprint, concludes with a sprint review and potentially also a retrospective. The former evaluates the results so far and the latter evaluates the process itself to identify improvement needs and opportunities.
Scrum also strongly emphasises frequent interaction with the customer or the problem owner, and XP stresses continuous and frequent testing. This is necessary to ensure that the functionality as well as the quality of the system meets requirements and expectations. In short– Scrum can be seen as a combined and self-sustained planning, development, and quality assurance process, although lacking traceability.

Scrum encourages including quality assurance best practices within the Sprint. For example each iteration the following activities should be part of part of Definition of Done:

  • Defect tracing — keeps track of each defect found, its source, when it was detected, when it was resolved, how it was resolved, etc
  • Unit testing — each individual module is tested
  • Source code tracing — step through source code line by line
  • Technical reviews — completed work is reviewed by peers
  • Integration testing — exercise new code in combination with code…



Daniele Davi'

Author | Coach | CTO | Human | Explorer | Traveller | Photographer ...