security-story-writinglisted

# Security Story Writing Convert security work — threats from a threat model, SAST/DAST findings, pen-test results, compliance controls — into stories a Scrum team can estimate, schedule, and verify like any other backlog item. ## Story Types Pick the right shape for the input: 1. **Security control story** — a new protective capability (rate limiting, input validation, audit logging). Written from the system's or security role's perspective. 2. **Vulnerability remediation story** — fixing a specific finding. Must reference the finding ID and include a regression test criterion. 3. **Feature story with security criteria** — a normal feature story that gains explicit security acceptance criteria. Use when security is a property of the feature, not separate work. 4. **Compliance story** — implementing a named control from a framework (PCI-DSS requirement, MAS TRM section). Must cite the specific control number so auditors can trace it. ## Templates ### Security control story ```markdown ### [ID] [Control title] **As** [the system / a security role], **I want** [security control], **so that** [risk is mitigated]. **Threat:** [STRIDE category or threat-model reference] **Compliance:** [framework + control number, if applicable] #### Acceptance Criteria - Given [precondition], when [attack vector attempted], then [system prevents/detects and logs/alerts] - Given [precondition], when [normal operation], then [control is active without breaking the user flow] #### Security R