Published at DZone with permission of Jim Bird, author and DZone MVB. (source)
Last night I presented to the Calgary Agile Methods Users Group
on "Agile Appsec: Why we Suck at Building Secure Software, and what we can do about it". This is an outline of the problems that we have as an industry building secure software: why we fail at it, why Agile development is blamed for insecure software, and what we can do to build more secure software while still being Agile. I look at different approaches to injecting application security into Agile development: security stories, evil user stories, abuse cases and abuse stories; security sprints; and building security into development, using Microsoft's SDL Agile as a guide.
(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)