So as with every financial institution, we're particularly concerned about security and faced with MANY tools and processes that are in place regarding security I found myself sitting face to face with one of our consultants and being asked the question "Where does security fit into your framework? your methodology?"

I found this an interesting question, and I answered "The team should decide" quite proudly.

Of course, he pressed on, wanting to know my own personal opinion about the subject. To which, everyone knows, I felt 'obligated' to answer.

Now, I don't really remember how I answered at the time, but I was just pondering it again this evening after a presentation of user stories at our local user group

So, one possible thing to do, is make negative user stories like this:

As a hacker i want to steal your user id so i can brute force your password.

as a hacker i want to find out what version of operating system your server is running so i can exploit vulnerabilities in it.

as a phisher i want to inject script into your website so i can get your password

Ok, so that's all dandy, i have negative user stories that i want to "Implement", but how do we know to come up with these?

Well, let's say you do a code review with a security consultant (or use a tool that scans your code). Everything it finds could be explained to your customer and the risk weighed and a story card generated.

AND perhaps, having a code review and checking for secure coding practices is part of your Definition of "Done"?

AND remember the real goal of xp and scrum is knowledge transfer! So the more often each member of the team works with 'secure coding practices' the more they learn and the more they know for next time.