The AppSec Crisis Isn't Detection — It's Remediation

Application security is no longer an engineering topic reserved for specialists: it has become a major governance issue. In 2025, the world counts nearly 50 million developers, and the software market is expected to triple by 2033. Software is everywhere — healthcare, finance, industry, energy, transport — and with it, every organization's attack surface is exploding. When the average cost of a data breach reaches $4.88 million and cybercrime represents over €100 billion a year in France alone, securing the code you ship is no longer optional.

Yet on the ground, one observation comes up consistently among the CISOs, engineering leaders and AppSec experts we meet: the challenge is no longer finding flaws, it's fixing them. Scanners (SAST, SCA, IaC, secret detection, pentest, bug bounty) have become extremely powerful. The bottleneck has shifted to remediation.

This white paper — the first of two parts — lays out that reality in detail. Here are the three forces paralyzing DevSecOps today.

1. A software ecosystem under unprecedented pressure

Exploitation of application vulnerabilities has overtaken phishing to become the leading initial infection vector in cyberattacks. It grew by 180% in a single year, and nearly 30% of actively exploited flaws are weaponized the very day they're disclosed. Against attackers able to militarize a vulnerability within hours, monthly or quarterly patching cycles no longer hold: it takes organizations 55 days on average to fix just half of the known, actively exploited critical vulnerabilities.

On top of this comes a massively targeted software supply chain (96% of codebases include open source components) and a tightening regulatory grip — the European Cyber Resilience Act now mandates "Security by Design," with penalties reaching €15 million.

2. Operational complexity that overwhelms teams

In a large organization, detection tools generate up to 500,000 alerts per year. Between 95% and 98% are noise — false positives or non-exploitable findings. Fewer than 5% actually require action. The result: widespread alert fatigue, developers in cognitive overload, and triage made impossible because the tools operate in silos, with no communication between them.

The CVSS score that the industry has historically relied on to prioritize only makes things worse: a flaw's theoretical severity has little to do with real risk, which depends on exposure, the criticality of the affected code, and proven exploitability. Teams end up fixing the wrong problem while the real vulnerability stays open.

3. The AI mirage: an explosion in code volume

The massive adoption of AI coding assistants (GitHub Copilot, Cursor, Claude Code) delivers productivity gains above 40% — but reproduces flaws at scale. The data is alarming: 62% of generated code is found to contain vulnerabilities, with a markedly higher risk of injections and critical flaws compared to human-written code. Handing security analysis to the same probabilistic agent that wrote the code is a fundamental governance mistake.

The verdict is clear

You can't build a secure structure on foundations eaten away by legacy vulnerabilities. Without a structured remediation plan, any security strategy is doomed. That is precisely the focus of the Glev method, which we detail in the second part of this white paper.

‍