Abstract
To achieve a level of security that is just right, software development projects need to strike a balance between security and cost. This necessitates making such decisions as to what security activities to perform in development and which security requirements should be given priority. Current evidence indicates that in many agile development projects, software security is dealt with in a more or less "accidental" way based on individuals' security awareness and interest. This approach is unlikely to lead to an optimal security level for the product. This paper suggests Security Intention Recap Meetings as a recurring organisational tool for evaluating current practices regarding the security intentions of a software project, and to make decisions on how to move forward. These meetings involve key decision makers in the project, such as the product owner and the project manager, with the purpose of making security decisions visible and deliberate and to monitor their results
