Chris Wysopal likens application security debt to technical debt in a couple of recent blog posts. It turns out that the debt metaphor is particularly apt as, like financial debt, application security debt is susceptible to interest rate fluctuations.

At last week's SPA conference, Paul Dyson and I ran a workshop on planning non-functional requirements in agile projects. Here is a personal account.

Not by angry customers suing for damages after security breaches, or by governments breaking up monopolies, but by open source developers and security professionals accusing them of being obsessed by security.

The ICT security community is suspicious of agile processes. "They do not produce formal documentation" is an often-heard complaint. Agile developers, on the other hand, blithely ignore security concerns.

Agile iteration planning has traditionally maximized business value based exclusively on user stories. However, implementing a user story increases the attack surface of a system and consequently the risk of abuse. The cost of absorbing such risk is often not taken into account. Abuser stories redress the balance.

Security is a blind spot in application development.

Security professionals have long regarded agile development processes with suspicion, in spite of their reputation for improving software quality. I report on a panel discussion at JavaPolis confronting agile processes with security engineering.

Eamonn McManus beat me to blogging about JavaPolis on Artima. I add a little sprinkling of Trust and Sex.

How do you get rid of a mainframe? Don't let it become a monster that feeds off your fears.

JavaScript is not as innocuous as some would like to believe.

XSS has been around for a long time, but the current appetite for weblogs opens up new opportunities for attackers.

The plot summarized and deconstructed.

A trailer for the security track at JavaPolis featuring O.S. security semantics in language-based systems, JAAS and auditing.