For 10 years agile development has been finding more and more followers and practitioners. It seems like a sure bet that SCRUM will be the leading process skeleton for lean and agile project management. As for most new technologies also processes and frameworks go through a hype-cycle. At this moment we know a lot about the advantages of SCRUM and maybe we know too little about the pitfalls.

In the area of security SCRUM does have some dangerous assumptions which I personally believe will prove to be major challenges in getting security right in development projects. Let me just mention two here:

• SCRUM assumes that in the team everyone should be able to deal with all aspects of the solution, which would lead us to assume that all developers need to be knowledgeable in security controls and secure programming. However in all the successful projects that I have seen there was a security expert that joined the team almost on a daily basis. I believe the same is true by the way for other non-functional aspects like usability. Not sure what Ken Schwaber thinks about this but I firmly believe that the team works best if team members bring their strengths together. One is interested in security, another is interested in usability (and great design), a third is interested in database scalability and off you go with a great team :). It is good to have a backup in case someone leaves the project but that comes at a cost.
• SCRUM is a project management skeleton but not a software engineering process. Scrum does not tell you how to come up with requirements, it does not tell when and how to integrate and test, and it does not tell how to build a lasting architecture, nor does it have anything to do with secure coding practices. This is not to blame SCRUM for this. SCRUM is great because it is simple and it focuses on very few aspects like prioritizing resources and interacting with stakeholders.

All I intend to say here is; please don't try to invent a secure SCRUM because security is better placed in a solution development life cycle than a process skeleton. And a great lean process skeleton should not be overloaded. If anything SCRUM should be more specific about project and solution risk management. Two years ago an interesting column was posted on infoq (http://www.infoq.com/news/2008/07/managing-risk-with-scrum). 

What are your experiences?

An OSA reference has been included into the recent O'Reilly book "Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance" by Tim Mather et al. The Cloud Computing pattern from the patterns library is reproduced in the Appendix. We are pleased to be of assistance in a small way, for a solid reference work on the topic.

If you are interested in reading further on the topic you can find it here on Amazon

I've been trying to get the PDF rendering working properly and I find that this is not as simple as I would like!

We are using Joomla which includes TCPDF as the default rendering engine, however the documentation on how to configure is weak to non-existent so I will capture my efforts here so we do not lose.

Configuration options are held in /cms/libraries/joomla/document/pdf/pdf.php rather than in /cms/libraries/tcpdf/config/tcpdf_config.php as you might expect.

The TCPDF library does not deal with images that have sizes specified very well, and seems to scale incorrectly. I have tracked down the problem to the image_scale variable in pdf.php as follows

// Scale ratio for images [number of points in user unit]
var $_image_scale = 1.75;

This is 4 by default (very small image), when set to 1.75 and using standard PNG or JPG images the image scale is fine. If you set scale to less than 1.5, the image expands off the page, and the PDF text gets corrupted. It may that the units need to be corrected (px rather than the default mm), as I have found that setting the image with no size attributes works fine.

The text formatting still needs some work, but this should be quite straightforward to correct.

The test pattern can be viewed here

The final problem to solve is how to get PDF renderer to use the PNG image rather than default SVG which is the preferred option we use on the site as it allows links for the controls. Unfortunately the SVG is too complex for the PDF renderer to handle...

Details on TCPDF API are available from http://api.joomla.org/1.5/com-tecnick-tcpdf/TCPDF.html