sprint-planninglisted

# Sprint Planning (Secure Value) Help a Scrum team plan a sprint where security work competes fairly with features instead of being deferred forever. The Product Owner acts as a risk manager: features earn value, unresolved security debt accrues risk. ## Capacity Planning 1. **Velocity baseline**: use the rolling average of the last 3 completed sprints. If history is missing, plan conservatively and say the first sprints are calibration. 2. **Reserve ~20%** of capacity for security remediation and unplanned work. Teams that skip this reserve absorb security work by silently dropping committed stories. 3. **Carry-over rule**: if more than 30% of last sprint's commitment carried over, reduce this sprint's commitment — don't re-commit the same overload. 4. Account for real availability: holidays, on-call rotations, and any team member dedicating time to security champion duties. ## Risk-Weighted Prioritization Score competing items with this framework, then sanity-check the result rather than following it blindly: ``` Security Debt Score = severity_points × exposure_multiplier severity_points: Critical 10 · High 5 · Medium 2 · Low 1 exposure_multiplier: days_since_discovery / 30 (minimum 1) Feature Value Score = business_impact (1-10) × user_reach (1-10) × revenue_or_risk_relevance (1-10) ``` **Hard rules that override scores:** - Critical and High vulnerabilities enter the sprint now — they are not tradeable against features. - Regulatory deadlines (compliance findi