The problem we’re not talking about enough
AI and fast-paced development are changing how software gets built. But they’re also accelerating the rate at which vulnerabilities appear.
For years, AppSec engineers carried the load. They fought the good fight, digging through endless alerts, investigating each suspicious signal, and often discovering… another false positive.
That work mattered. It still does. But the reality is that AI-assisted coding is multiplying the amount of code being produced —and, with it, the risks. If we don’t change how we manage security debt, we’re about to drown in it.
Many application security engineers told me: AI doesn’t fix security debt. It amplifies it.
From reactive firefighting to proactive remediation
If you’ve worked in AppSec for a while, you’ve seen the shift. The community has grown over the past few years. There are more tools, more frameworks, and more people calling themselves security engineers than ever before.
But the core of the job hasn’t evolved as much as it should have.
Engineers still spend hours analyzing scanner output that floods them with thousands of alerts — most of which lead nowhere. They are still manually triaging, verifying, and patching, while developers have already shipped the next version.
For the pioneers, this was exciting — digging deep into the software stack, tracing the path of an injection vulnerability through layers of code, learning your architecture inside out. It was chaotic but fulfilling.
That hands-on exploration built a generation of experts. But it doesn’t scale.
Today, code volume is exploding. The expectation for speed — from the business, from leadership, from users — leaves no time for manual investigation. AppSec engineers can’t be reactive anymore; they need to be strategic.
The end of the “pioneer era”
Let’s give credit where it’s due.
The first wave of AppSec engineers built the foundation of what we have today. They made AppSec possible in the first place. But now, those same people are tired. They’ve seen the same noisy alerts too many times. They’ve built the same custom scripts to clean up tool output. They’ve reviewed the same SQL queries, line by line, hundreds of times.
We need to scale what they built. We need to turn their experience into something that keeps pace with modern development.
AI changes everything
AI-assisted coding is the most significant productivity boost software development has ever seen. But if AI can generate code that fast, it can also create vulnerabilities that fast.
And that’s where we, as a community, need to catch up. We need AI-assisted security to match AI-assisted development.
This is not about replacing AppSec engineers. It’s about augmenting them — freeing them from the noise and the grunt work so they can focus on what truly matters: remediation, not triage.
What “security by design” really means today
For years, “security by design” meant endless documentation and review meetings. Before a single line of code existed, teams would gather around a table to discuss the architecture, the threat model, and the potential asset (credentials, customer data, etc) that would be impacted.
It made sense when software development was linear. But today, that approach just doesn’t fit.
Developers don’t wait for meetings anymore. They prompt. They iterate. They test in real time. AI has turned coding into a creative dialogue — a back-and-forth between human intent and machine output.
So “security by design” has to evolve, too. It’s now about embedding security into the flow of work — right where development happens. It’s about being part of the vibe coding — that natural rhythm between a developer and their AI assistant. Security shouldn’t interrupt that flow. It should be part of it.
A glimpse into the next phase
At Glev, we’ve seen this story play out again and again. AppSec engineers are spending hours on false positives, teams are struggling to make sense of tool outputs, and developers are frustrated by long feedback loops.
That’s why we built a platform designed to be a central place for all code security issues — a space that connects the dots between alerts, context, and remediation.
It’s not about more data. It’s about better decisions.
By embedding the know-how of seasoned engineers into the workflow, we help teams move beyond security debt and toward security by design — where every line of code, every prompt, every AI suggestion is guided by built-in security intelligence.
From debt to design: your next move
If you’re building software and shipping it, here’s the truth: your value has never been higher. But the way you express that value has to evolve.
You can’t scale security passion. You can scale systems.
So the challenge now is to turn what your team knows — instincts, experience, hard-earned judgment — into workflows and tools. The future of AppSec isn’t about chasing alerts. It’s about shaping how software gets built in the first place.
Security by design isn’t a slogan anymore. It’s the only way forward.
