Security has always been a challenge in software development. Being in an environment that has rapid ship cycles and iterative development does add challenges of its own when it comes to security.

Here are a few of the key concepts I intend to flesh out in the next few weeks:

• Security Requirements
• how to come up with security stories
• how much is enough?
• how much is too much?
  
• Using automated tools
• what tools are available
• MetaSploit - multiple vulnerabilities: http://www.metasploit.com/
• Fiddler - HTTP/S proxy, inspector, injector, manipulator. Fun for the whole family. http://www.fiddlertool.com/
  
• WireShark - network protocol analyzer and sniffer: http://www.wireshark.org/
  
• various other network tools like Snort, RetinA, NetStumbler can be automated and scripted.
  
• use static code analysis tools, and pay attention to their results.
• I recommend also doing file and network fuzzing on system entry points, but don't have any good tool recommendations. Got some? Please leave comments!
  
• web site testing vs web service testing
• application testing
  
• how do the fit into automation frameworks
  
• Security Documentation (Threat Models)
• Designing in Security as Feature 0
• Iterative Threat Modeling
• Who Reads the Threat Model?
• How do we turn threat models into automated acceptance tests?
• security testing strategies
• white route (internal folks, given the internals of the system)
  
• black route (for-hire hackers, given only an objective to accomplish, and no system information)
• security-oriented code reviews
• how to train developers and testers to look for security defects
  
• security vs. performance
• Sometimes mitigations incur a performance hit. How do we avoid this, and what are some alternatives?
  

This is an Agile blog, so this is the first production release of this article ... More features (content) will become available over time, so stay tuned to this RSS feed for updates and new content, as they emerge.