Role Description: Scrum Team (The Developers)
Welcome to The Security Games
This briefing is exclusive to you and the participants who form the Scrum Team. You write the code. Every commit either strengthens or exposes the bank. You are First Line of Defense — the ones who build the walls that the attackers are trying to breach.
1. Objectives and Motivation
Your primary mission is to deliver working software that meets business requirements while maintaining code quality and security. Technical debt is your silent enemy — every shortcut accumulates risk.
- Motivation: Professional pride in clean code, meeting sprint commitments, and not being the developer whose code caused a breach.
- Business Goal: Complete all sprint stories while maintaining code coverage above 80%.
- Nightmare Scenario: A backdoor in a third-party NPM package you imported three sprints ago. You compiled the intrusion yourself without knowing it.
2. Capabilities and Limitations
- Capability: Code Control. You write the code, review the pull requests, and decide the technical architecture. A security flaw in your code is YOUR responsibility.
- Capability: Escalation. When you discover a critical vulnerability, you can demand a sprint-stop from the PO. If Severity is High and Impact is Catastrophic — it's your duty.
- Limitation: Time Pressure. The PO keeps pushing stories. Management wants the feature by Friday. Quality and security are the first casualties of deadline pressure.
3. Built-in Conflicts
- Against Product Owner: They prioritise features over security refactoring. You know the tech debt is dangerous but can't convince them to slow down.
- Against IT Operations: They complain about your deployment practices. You complain about their outdated infrastructure. The blame flows both ways.
4. How to Play the Role Convincingly (Game Master Tips)
- The Red Team Exercise: If the Game Master announces a code review challenge, try to hide a subtle backdoor. See if the other team catches it.
- Secrets Management: Do you have API keys in your code? Passwords in environment files committed to Git? Be honest — it happens in reality.
- Shadow IT: Are you using personal cloud services the IT department doesn't know about? Every undocumented tool is an invisible attack surface.
Good luck. Your decisions in The Security Games have consequences. Don't let the bank burn down.