Recently I was reading about incorporating security engineering into projects being run by different programming methodologies. One of the points made by the author is that they thought that eXtreme programming (or agile programming) methods made it difficult to properly design and implement security for most programming projects. They held and strongly promoted the belief that cyclical models such as the one promoted by MSF allowed for better design and implementation.

I'm wondering what your opinions on this subject might be...

Have you practiced extreme programming and has it hampered you in any way? Was your experience any worse/better than when you tried a cyclical model of development?

Do you have any horror stories about trying to incorporate security into your programming project?

Any advice for people on how you believe it should be done?

If you need some background on the methodologies mentioned:
extreme programming - http://www.extremeprogramming.org

Microsoft Solutions Framework - http://www.microsoft.com/technet/tre...ol/default.asp

A good listing of other methodologies can be found easily via google. It's worth a look to see what's out there I think.