StackHawk co-founder and CSO Scott Gerlach has spent most of his career running security teams, and his take on application security is shaped by a simple reality: developers are still too often the last to know when their code ships with risk. Gerlach explains why that gap has widened in the age of modern CI/CD, and why AI is now pouring gasoline on the problem.

As release velocity climbed to multiple deployments per week, traditional approaches to application security testing (often centered on periodic production checks) stopped scaling. At the same time, engineering teams are increasingly using LLMs and coding agents to generate far more code, far faster. Even if AI-written code is approaching parity with human-written code in terms of vulnerabilities, Gerlach argues the bigger issue is volume and speed: AppSec programs haven’t evolved at anything close to an 8x or 10x pace.

Gerlach emphasizes that some of the most damaging risks today don’t stem from obvious coding errors, but from flaws in business logic — particularly in APIs. Authorization failures, cross-tenant data exposure, and misuse of legitimate functionality remain difficult to detect without exercising how an application actually behaves. These issues rarely surface through static analysis alone and often emerge only when systems are tested as users — or attackers — would interact with them.

The challenge for security teams is prioritization. With limited time and resources, testing everything is neither practical nor effective. Instead, organizations must focus on areas where change is frequent, sensitive data is handled, or APIs act as the connective tissue between services. Behavioral testing, guided by an understanding of intended system use, becomes essential in this context.

Ultimately, Gerlach frames the goal of modern application security as enablement rather than obstruction. When security insight keeps pace with development speed, teams can shift from slowing releases to confidently supporting them — allowing organizations to move faster without sacrificing trust or resilience.