Agile (Scrum) best security practices and experiences?

[Jari Pirhonen <japi () iki fi>]

Hi,

Agile development is spreading fast. I have discussed with many 
agile/Scrum developers and consultants and asked about security 
integration. I have got mostly vague answers about general quality 
enhancements, trusting the team and of course pointers to security 
critical applications they have developed.

I know about Microsoft SDL guidelines w/ agile development guidelines.

Best practical presntation I've seen comes from Nokia, now also 
presented at OWASP, 
http://www.owasp.org/images/c/c6/OWASP_AppSec_Research_2010_Agile_Prod_Sec_Mgmt_by_Vaha-Sipila.pdf

I've also disccussed about agile/security integration with other 
security professionals and software developers. For example we had a 
good meeting with nice security/developer mix arranged by Agile Finland 
and Finnish Information Security Association. Discussion results 
available here, 
http://confluence.agilefinland.com/display/af/Secure+software+development+and+agile+methods+-+notes

Now - if anyone could share some *real world* experiences how to make 
agile/Scrum + security succeed without paralysing the agile team, I 
would very much like to hear.

What works, what not? How to start? What tasks/tools gives most benefit?

All other insights are welcome also.

regards,
Jari

--

Jari Pirhonen
@japi999


_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________