To integrate any application security activity into agile development practices effectively, it needs to be lightweight and delivered in bite-sized chunks that seamlessly fit into existing development processes.
In the traditional approach to application security, it takes a lot of time to perform security activities, set them up as deployment gates, and communicate results to application owners. Manual secure code review, for example, can take weeks depending on the size of the application. If this activity is a requirement for application deployment, and your average agile sprint duration is two weeks, fitting the two together seems infeasible.
And don’t forget about reporting and remediation. Using traditional security measures, not only does it take days to perform security activities take days to perform, but remediation takes even longer, with reports containing all the findings and hours-long knowledge transfer sessions to ensure that the developers understand the vulnerabilities. There’s a better solution to achieve application security when discussing time efficiency without sacrificing quality.