Security professionals tend not to trust development and quality teams when it comes to application security, and so they try to force compliance with a rigorous AppSec program.
But especially in Agile, DevOps, and similar rapid development methods, that tends to cause a lot of problems. Development teams can and should own their own AppSec program—one that meets their needs—whether or not their security team supports them.
One way to do that is Responsive AppSec: and I wrote an introduction to Responsive AppSec on the Veracode Blog. The comments system there sucks, so if you have a response, please tweet at me @DarrenPMeyer.