A couple of weeks ago I posted an article on managing security requirements on agile development at InfoQ. I was pleasantly surprised to see a number of development / agile folks respond positively to the article on the Twitterverse. In fact, I think this article got more attention from developers (not just security focused ones) than anything I’ve ever written.
The result is encouraging. If application security practitioners really want to drive development organizations to adopt security holistically then we have an opportunity: piggyback off the agile agenda for change, and make sure that we don’t think of security in isolation.
Agile developers are looking for ways to improve managing all sorts of non-functional requirements (NFRs), including availability, scalability, performance, accessibility, privacy, and many others. We have an opportunity to help and be heard here just so long as we don’t insist that security is special.