The 12 principles  behind Agile development are (emphasis mine):
- Customer satisfaction by rapid delivery of useful software
- Welcome changing requirements, even late in development
- Working software is delivered frequently (weeks rather than months)
- Working software is the principal measure of progress
- Sustainable development, able to maintain a constant pace
- Close, daily co-operation between business people and developers
- Face-to-face conversation is the best form of communication (co-location)
- Projects are built around motivated individuals, who should be trusted
- Continuous attention to technical excellence and good design
- Self-organizing teams
- Regular adaptation to changing circumstances
If you are a startup in particular I don't think you can develop any other way than Agile. Your best bet for survival is to get something out there and iterate like hell. Even in large companies these days rapid delivery, reduced costs, adapting to requirements that get elaborated as you go are increasingly the norm. Paul Graham says "a programmer working as programmers are meant to, is always making new things". I would argue this should be true for everyone working on agile projects including security people. The only people that add value are coding, designing the UI, testing etc; "touching the product". Unfortunately most security people are not doing this; they create documentation, provide advice and consulting, "manage risks" or manage other security people and thus at best add zero value. Arguably you would be far better having only security engineers that coded the security components and where they performed code reviews and security testing actually fixed the problems.
How about the opposite perspective though? Starting from the top: CISO's sit on executive committees, ten or more layers removed where such hierarchies exist. CSO Online states they are the "executive responsible for the organization's entire security posture" these days expanding their empire to risk, governance, information security, IT security, physical security, data loss and even fraud. Surely that is an important position for ensuring your project delivers the business benefits really quickly. So what if startups don't have them, every Fortune 500 company does right? They must add a lot value. I mean it is the big stuff that makes the difference, securing the budget for that new DLP system, funding for enough resources to review all the projects and changes, keep the security operations running. Even I have argued before that enterprise security controls make the biggest difference in the security posture of an organization.
Then there is everyone that does "Governance Risk and Compliance (GRC). Bingo! Sorry thought I was at Infosec. Afterall the majority of what companies only do security for compliance and regulations are growing increasingly
Then all the middle managers in security, risk, compliance; absolutely mandatory to keep the troops motivated and in line. No decently large company could do what 37 signals has achieved right? Of course we still need all the bottom of pyramid security underlings running firewalls, providing access, monitoring the SIEM. We would never want outsource or automate these services.
Finally where the bullet hits close to home: security architecture and design for projects. Even on Agile projects we perform a CIA analysis and advice on the inherent risk of a project even before it starts, which of course is always listened to. We write security requirements, driven from threat models that reduce re-inventing the wheel and integrate with enterprise security infrastructure. We review and collaborate on the design, develop attack trees and mis-use cases for sprints and plan security testing. When Fortify360 finds 300 cross site scripting vulnerabilities, we advice how they can be fixed. Look even Microsoft says we are necessary even for Agile processes and that is working so well. But does the business care about any of this, or would they rather have someone that is helping to get the code completed securely and delivered?
All the security guys I know that can code enjoy breaking things too much and either run or work for pen test companies, very few seem interested in working for end-user companies building defenses. Even the few that do, do so as part of security consulting vendors, very few real security hackers work for companies building new systems.
Thankfully it seems unlikely that any large company will soon replace all its security, risk and compliance staff with security engineers that code but just to hedge my bets a little bit I'm going to work on some node.js and jquery to maintain http://www.simplesecurityra.com (shameless plug). Any links to outstanding resources for either that I can't find easily on Google would be greatly appreciated #lazyweb. Dam in the hour it took me to write this I could have got hello world and a twitter feed working on my node server.
Like this post? Get updates via RSS or follow me on Twitter @rakkhis
Share this, that's how ideas spread
 Agile software development poster. http://en.wikipedia.org/wiki/Agile_software_development
 Beck, Kent; et al. (2001). "Principles behind the Agile Manifesto". Agile Alliance. Retrieved 2011-04-06