Agile software development is a conceptual framework for undertaking software engineering projects that embraces and promotes evolutionary change throughout the entire life-cycle of the project. What it does not do is incorporate information security risk into the process. It is another way to keep costs down in the development process but created by those without any inkling of what it means to include security in any process whether iterative or waterfall-like.
Agile methods emphasize real-time communication, preferably face-to-face, over written documents. Ergo, very little consideration given to documenting critical transactions, compliance issues, access management, roles, etc.
Most agile teams are located in a bullpen and include all the people necessary to finish software but not to write proper software free of vulnerabilities.
At a minimum, this includes programmers and their "customers" (customers are the people who define the product; they may be product managers, business analysts, or actual customers). The bullpen may also include testers, interaction designers, technical writers, and managers (but no mention of anyone with a security bent).
Agile methods also emphasize working software as the primary measure of progress. Combined with the preference for face-to-face communication, agile methods produce very little written documentation relative to other methods.
What else does it not do:
lack of structure and necessary documentation
only works with senior-level developers
incorporates insufficient software design
lack of information security concerns relative to people, process and technology
There is even an agile manifesto (proletarians unite):
Customer satisfaction by rapid, continuous delivery of useful software
Working software is delivered frequently (weeks rather than months)
Working software is the principal measure of progress
Even late changes in requirements are welcomed
Close, daily, cooperation between business people and developers
Face-to-face conversation is the best form of communication
Projects are built around motivated individuals, who should be trusted
Continuous attention to technical excellence and good design
Simplicity
Self-organizing teams
Regular adaptation to changing circumstances
All these things are great from one perspective but you must include security. Pushing software out the door quickly and efficiently may save short-term dollars, but the built-in vulnerabilities will kill you in the long run.
The concepts are fine but lacking. If you hear of agile methods in your environment, muscle your way in or the sheer speed of their efforts (and the fact they will see infosec as a governor on the throttle) will produce multiple iterations that are moved to production before you can get involved! And most per Murphy's law will be Internet facing, financially significant iterations.
