S. L. Clemens, Notes on 'innocents abroad': Paragraph 20 (2010) ('There are three kinds of lies: lies, damned lies, and statistics.' -Attributed to Disraeli) ? http

F. P. Brooks, The Mythical Man-Month, 1995.
DOI : 10.1145/390016.808439

A. Ozment and S. E. Schechter, Milk or wine: does software security improve with age?, Proceedings of the 15th conference on USENIX Security Symposium - Volume 15. USENIX-SS'06, 2006.

D. Geer, MetriCon 1, Digest, 2006.

D. Geer, MetriCon 2, Digest, 2007.

D. Geer, MetriCon 4, Digest, 2009.

A. Eberlein and J. C. Do-prado-leite, Agile requirements definition: A view from requirements engineering, In: PROCEEDINGS OF THE INTERNATIONAL WORKSHOP ON TIME-CONSTRAINED REQUIREMENTS ENGINEERING, 2002.

K. Beznosov, eXtreme Security Engineering: On Employing XP Practices to Achieve " Good Enough Security " without Defining It, In: Proceedings of the First ACM Workshop on Business Driven Security Engineering, 2003.

J. Wäyrynen, M. Boden, and G. Bostrøm, Security Engineering and eXtreme Programming: An Impossible Marriage?, Proceedings. Lecture Notes in Computer Science, vol.3134, pp.117-128, 2004.
DOI : 10.1007/978-3-540-27777-4_12

K. Beznosov and P. Kruchten, Towards agile security assurance, Proceedings of the 2004 workshop on New security paradigms , NSPW '04, 2004.
DOI : 10.1145/1065907.1066034
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.429.6636

M. Siponen, R. Baskerville, and T. Kuivalainen, Integrating Security into Agile Development Methods, Proceedings of the 38th Annual Hawaii International Conference on System Sciences, 2005.
DOI : 10.1109/HICSS.2005.329

M. Poppendieck and R. Morsicato, XP in a Safety-Critical Environment, Cutter IT Journal, vol.15, pp.12-16, 2002.

V. Kongsli, Towards agile security in web applications, Companion to the 21st ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications , OOPSLA '06, pp.805-808, 2006.
DOI : 10.1145/1176617.1176727

G. Mcgraw and J. Steven, Software [In]security: Comparing Apples, Oranges, and Aardvarks (or, All Static Analysis Tools Are Not Created Equal, 2011.

J. Jensen, A Novel Testbed for Detection of Malicious Software Functionality, 2008 Third International Conference on Availability, Reliability and Security, pp.292-301, 2008.
DOI : 10.1109/ARES.2008.113

B. Miller, L. Fredriksen, and B. So, An empirical study of the reliability of UNIX utilities, Communications of the ACM, vol.33, issue.12, 1990.
DOI : 10.1145/96267.96279

A. C. Doyle, Memoirs of Sherlock Holmes

G. Mcgraw, Software Security: Building Security In, 2006 17th International Symposium on Software Reliability Engineering, 2006.
DOI : 10.1109/ISSRE.2006.43