Designing a Security-First Scrum Framework with AI Enhancements

Abstract

This thesis addresses the challenge of integrating software security into Scrum-based Agile development, where security activities are often neglected or treated as separate from the development process. Despite extensive research on securing Scrum, many existing approaches remain impractical for real-world adoption due to their complexity or reliance on specialised expertise. To address this gap, this study proposes an LLM-Supported Secure Scrum (LSS) framework that embeds security practices directly into Scrum artefacts, thereby ensuring continuous visibility and prioritisation of security early in the development lifecycle. The framework design is grounded in a structured literature review with thematic synthesis, which identifies security practices suitable for Agile environments. In addition, the framework incorporates Large Language Models (LLMs) as an enabling mechanism to operationalise and support these practices within development workflows. Specifically, in this thesis, LLMs are used to assist key security activities, including risk identification, S-Tag generation, misuse and abuser stories, security acceptance criteria (SAC), and an adaptive security Definition of Done (DoD). A prototype tool is developed to demonstrate the feasibility of integrating these capabilities into a practical development setting. The proposed framework is evaluated through a mixed-method approach combining a controlled demonstration with expert evaluation and a survey. The results suggest that the framework may improve security visibility, reduce the knowledge gap between developers and security practices, and support integration with existing Agile workflows without substantially disrupting perceived development velocity. Overall, this research contributes an approach for achieving AI-assisted security integration in Scrum, helping to bridge the gap between Secure Scrum research and its application in real-world development environments.