[Owasp-leaders] Are Security folks too stiff

Andre Gironda andreg at gmail.com
Mon Mar 2 16:47:39 EST 2009

On 3/2/09, McGovern, James F (HTSC, IT) <James.McGovern at thehartford.com> wrote:
> A peer of mines sent me this link:

I read that article.  I've seen the past work from Dave Wichers and Dan Cornell.

> But also asked me a question of why aren't security types embracing agile
> methods and lighter-weight methodologies? Any thoughts on CLASP guidance
> when compared/contrasted against the Agile
> Manifesto?

Agile is no different than xP or any other iterative development
lifecycle.  The real differences are terminology and culture, which
vary from organization to organization.  What really counts is not how
Agile an organization is, but how it affects their language and
business culture.

What I find most fascinating about Agile is the promotion of the TDD,
BDD, or MDA/MDE software engineering principles.  These can be very
effective when combined with non-functional requirements such as
security testing/inspection.  Additionally, continuous-prevention
development is an additional win.  Although I found Dave Wichers'
insights to also be very interesting.


More information about the OWASP-Leaders mailing list