Vidar Kongsli is talking about Towards Agile Security in Web Applications. They've done a nice job of integrating the two, which is interesting as the culture of security people tends to be more static.
During planning, they introduced "Misuse Stories", like user stories but for potential expoits of the system. Once they have Misuse Stories, they can write tests to catch them and roll security into the process — educating the developers along the way. Interestingly, they also found that security is simpler to work with when broken into smaller features. Of course, the hard part is ensuring completeness since security is a quality of the whole system
Posted by stevef at October 25, 2006 3:30 PMThat's not a bad idea. I think that aspects of development, such as security, are often forgotten. XP provides a framework for communication between customers and developers... but what about the other stakeholders? The security guys; the sys admin guys; and the methodology police? I think it's wise to get any aspects on paper so the estimates don't get messed up. The biggest mistake I once made was telling my team "we aren't doing any CMMi tasks". Basically, the projecct was late so I thought poo to your CMMi initiative. Unfortunatey at the end we had this back log of CMMi 'work' to do. I should have created CMMi stories and let the customer decide...
Posted by: Jamie at December 10, 2006 1:29 PM