SO
SecOps WorkbenchSprint 7 · Day 8/10
Agent working
?page=sprint&id=sprint-7

Sprint 7 — Hardening

May 4 – 17, 2026 Day 8 of 10 · 12 tickets · 7 services
On pace · 6 of 12 done · +1 ahead of plan
Sprint capacity 40h · used 28h · remaining 2 working days. Velocity tracking 32 points (planned 30).
72%
Done
6 / 12
In flight
3
Blocked
2
At risk
1
Velocity
32 pts
Agent tokens
142k / 500k

Board · Sprint 7

Swipe to see all columns
Queued
3
SEC-1748
Weak random in token generator
High
~3h
SEC-1751
Hardcoded JDBC password in test config
Med
~1h
SEC-1752
CVE-2024-1234 in jackson-databind · upgrade 2.13.4 → 2.16.1
Med
~2h
In progress
1
SEC-1747 Working
Missing CSRF token on /api/admin/* endpoints
High
Step 4 of 6 · running tests62%
18m elapsed
In review
2
SEC-1745
SQL injection in OrderRepository.findByCustomer
Critical @you
SLA
6d left
3 of 4 approved
SEC-1743
XSS in dashboard search field (escaped output)
Med
SLA
2d left
2 of 3 approved
Blocked
2
SEC-1740
XSS in legacy JSP report viewer
High No playbook
→ engineering epic
SEC-1746
Weak crypto in session token signing
Critical Waiting 4d
SLA
1d left
@alice approval pending
A
Done
6
SEC-1742
Path traversal in FileExportController
High
merged · today 11:03
SEC-1738
Weak SHA-1 in audit log signing
Med
merged · today 10:15
SEC-1734
Hardcoded API key in PaymentService
High
merged · today 09:42
SEC-1735
Hardcoded secret in email template config
Med
merged · yesterday
SEC-1729
SQL injection in UserController.search
Critical
merged · 2 days ago
SEC-1741
Session fixation in login flow
High
merged · 2 days ago
A

Sprint blockers

ranked by impact
1
SEC-1746 · Crypto change waiting 4 days on approval
SLA 1 day left · critical · backup approver path not configured · risk: rolls into Sprint 8
A
@alice
2
SEC-1740 · XSS in legacy JSP — no playbook exists
Agent recommends engineering epic instead · same pattern in 6 JSPs · refactor candidate
unassigned
3
SEC-1743 · XSS dashboard fix · SLA 2 days left
Reviewer agent + J. Reviewer ✓ · waiting on @bob · last seen yesterday
B
@bob

Ceremony candidates

Friday · 14:00
For review
Demo SEC-1729 — agent fixed a critical SQL injection end-to-end with no human edits good story for stakeholders · shows T1 auto-merge tier working
For retro
Promote spring-csrf playbook to T1 auto-merge tier 5 uses · 100% success · low risk pattern
For retro
Process gap: SEC-1746 waited 4 days for approval need backup approver for critical crypto changes
For refinement
Draft spring-jsp-xss playbook 3 findings blocked by its absence · @alice to draft by Wed
For refinement
Engineering ticket: JSP → Thymeleaf migration in admin-portal unblocks 6 XSS findings · platform team owns