SO
SecOps Workbench
Tools · Cadence

Retro improvement backlog

Action items from past retros · what we said we'd improve, and where each one stands
Across last 4 retros

9 improvement actions tracked

4 shipped · 2 in progress · 3 not started. Two are urgent (overdue or rolling into Sprint 8).
4 done 2 in progress 3 not started
Open · 5 actions
Urgent Process impact
Set up backup approver for critical crypto changes
SEC-1746 waited 4 days for approval because Alice was the only approver and was OOO. Risk: ticket rolls into Sprint 8. Bob nominated as backup; needs to be added to approver-pool@crypto in the policy.
from Sprint 6 Retro AB @alice due today
In progress Playbook impact
Draft spring-jsp-xss playbook
3 findings currently blocked because no playbook exists for JSP-based XSS patterns. Alice has the first draft at 40% complete — covers <c:out> escape strategy and fn:escapeXml wrapping.
from Sprint 7 Planning AB @alice due Wed May 14
In progress Tooling impact
JSP → Thymeleaf migration epic
Strategic fix to eliminate the JSP XSS class entirely. Engineering owns it. Currently scoping — 14 JSP files in order-service, 9 in billing. Estimated 2 sprints.
from Sprint 6 Retro B @bob (eng) due end Sprint 9
Not started Playbook impact
Promote spring-csrf@1.2 to T1 auto-merge
Playbook has 5 successful uses · 100% success rate · zero rollbacks. Policy requires ≥10 uses for T1, but team agreed to lower the bar for low-risk patterns. Proposed at Friday's retro.
from Sprint 7 Retro (proposed) JR @j.reviewer
Not started Culture impact
Publish weekly digest of agent fixes to #eng-general
Engineering teams don't see the work the agents do quietly. Bob suggested a Friday digest: shipped fixes, prevented incidents, headline number. Builds trust + visibility.
from Sprint 5 Retro B @bob
Shipped · 4 actions
Done Tooling
Set up nightly Fortify rescan after each merge
Closes the loop between auto-merge and verification. Pipeline now triggers a project rescan within 15 min of any agent-merged MR. Catches regressions early.
from Sprint 7 Planning B @bob shipped 3 days ago
Done Process
Document T-tier escalation rules in AgentBook
When a fix is too complex for auto-merge, the criteria for routing to engineering vs. demoting to T3 wasn't clear. Now codified in secops-policy@v3.2 with examples.
from Sprint 6 Retro AB @alice shipped 2 weeks ago
Done Playbook
Add SHA-1 → SHA-256 playbook
Filled a critical gap. Already used 3 times with 100% success — including SEC-1738 last week.
from Sprint 5 Retro JR @j.reviewer shipped 3 weeks ago
Done Process
Move standup to async-first via AgentBook
Previous daily 9am standup was being skipped. Orchestrator now posts the daily roll-up to AgentBook by 8:30; humans react with reads/blocks. Saved ~5h/week across the team.
from Sprint 5 Retro AB @alice shipped 4 weeks ago
review at next retro: Fri May 15