A company has decided to move to an agile software development methodology. The company
gives all of its developers security training. After a year of agile, a management review finds that
the number of items on a vulnerability scan has actually increased since the methodology change.
Which of the following best practices has MOST likely been overlooked in the agile
implementation?

A.
Penetration tests should be performed after each sprint.

B.
A security engineer should be paired with a developer during each cycle.

C.
The security requirements should be introduced during the implementation phase.

D.
The security requirements definition phase should be added to each sprint.