Abuser stories - security testing in agile development

My grand employer Ericsson is sending it's Software Engineers on 60 ECT course on the Royal Institute of Technology in Stockholm called Advanced Course for Software Developers. I am attending class 21 and this week we had "IT Security for Programmers". On Friday we had a young Swede called Gustav Bostrøm in "Secure Software Engineering". In this lecture he talked about the lack of risk management and security testing in agile projects and gave us the idea of abuser stories.

Both XP and Scrum are good for software security/safety because of the Unit Tests and the Clean Code paradigm. Bugs and/or errors in software are attack points for black hat hackers, hence better code and better test coverage gives less bugs and more secure software.

Abuser stories are similar to user stories, but the abuser stories are stories from "customer" where customer writes possible attacks on the software systems. So the stories would not be such as "As a customer I want to......" but more like "As a black hat hacker I would like to create a SQL injection to the web page getting a list of all users in the system" or "As a script kiddy I would like to perform a DOS attack on the NN web site."

The abuser stories should be performed in a "Attack Sprint" where no new "functionality" is added to the system in that sprint or after the attack sprints. Adding functionality to the system might make the task of the abuser stories invalid and would force a new round of attack sprints.