Vidar Kongsli is talking about “Towards Agile Security in Web Applications”:http://www.oopsla.org/2006/submission/practitioner_reports/towards_agile_security_in_web_applications.html. They’ve done a nice job of integrating the two, which is interesting as the culture of security people tends to be more static.
During planning, they introduced “Misuse Stories”, like user stories but for potential expoits of the system. Once they have Misuse Stories, they can write tests to catch them and roll security into the process — educating the developers along the way. Interestingly, they also found that security is simpler to work with when broken into smaller features. Of course, the hard part is ensuring completeness since security is a quality of the whole system