If You’re an AppSec Engineer, You’re Lucky

We live in crazy times. AI is automating code, and it’s also automating the exploitation of vulnerabilities. Code written by AI introduces new kinds of vulnerabilities we never imagined, alongside the same old ones, but on a much larger scale. We don’t yet know how to deal with that. Everyone is adopting new technologies, and security grows more complex as human manipulation now extends to software itself. Being a security professional today is more important than ever, and with the power of AI, you can make a greater impact than at any point before.

Thesis

This article is based on three assumptions:

• In the coming years, 99% of code will be written, tested, and reviewed by AI.
• The use of AI models embedded within software will continue to grow.
• Code written by AI is not inherently safer than code written by humans.

If these assumptions hold true, the implications for application security are enormous. AI-driven development won’t eliminate risk. It will multiply it, and the velocity of change will leave little room for manual processes. The security profession will need to reinvent itself to stay relevant.

What Changed

AI is already reshaping how software gets written. Pull requests, tests, even deployments - much of it is being automated.

That leads to:

• More code, produced faster
• Fewer people reviewing it
• The same bugs and risks we have always had

In other words, the problems did not disappear. They are just showing up at scale. The speed of delivery has increased dramatically, but the safety nets that traditionally caught issues, such as peer reviews, QA cycles, and manual security testing, are shrinking. This is the paradox of AI in software: it solves for speed, but leaves security in a constant race to keep up.\

Where Security Fits

Almost every application security engineer I’ve met has tasks they wish developers would handle for security, but those tasks are often ignored or deprioritized. The tension between development velocity and security is not new, but AI creates a new dynamic.

The good news is that AI follows instructions. It doesn’t ignore Jira tickets. It doesn’t argue during sprint planning. Instead of chasing developers, you can automate fixes, automate reviews, and even automate secure development practices. Rather than training humans, you can now provide cybersecurity prompts for agents. We’re only scratching the surface of the automation that’s coming.

This means the AppSec role can shift from persuading and policing to enabling and embedding. You can literally encode secure practices into the very fabric of how software is generated.

\

New Risks, New Responsibilities

AI also introduces new attack surfaces:

• Prompt injection
• Training data poisoning
• Automated supply chain abuse

Attackers are also adopting AI, and they are moving faster than traditional patch cycles can accommodate. If remediation still takes weeks, it is not effective. The bar is now hours. And these are not hypothetical scenarios - early examples are already surfacing in the wild. Imagine an automated adversary that never sleeps, scanning and exploiting vulnerabilities at scale, and you begin to see the stakes.

For AppSec engineers, this is both a challenge and an opportunity. You’re not just protecting against old threats dressed up in new clothes; you’re defining what security even means in this new era.

\

What AppSec Teams Need to Do

This shift changes the job description:

• Build security directly into automated workflows
• Automate remediation, not just detection
• Cut MTTR to hours
• Monitor AI-specific threats as part of normal operations

If you're not sure where to start, focus on reducing MTTR - but only for the findings that actually matter. Don't waste cycles trying to fix false positives quickly. Prioritize what you know is real and impactful. That alone can shift how security is perceived and delivered in the organization.

Beyond that, security leaders must think about governance and accountability. Who owns AI-driven code? Who is responsible for ensuring AI-generated logic does not introduce compliance violations or bias? These questions move AppSec from the technical to the strategic. The teams that answer them first will set the tone for the rest of the industry.

\

Conclusion

AI makes AppSec central to how modern software is built and secured. The work is harder, but it is also more impactful. AppSec now has more influence than ever to shape how secure software gets built. The opportunity to make a meaningful impact across engineering and operations is real and growing.

If you’re an AppSec engineer today, you’re lucky. You’re in the middle of the biggest transformation the field has ever seen. Your ability to adapt, automate, and lead will not just determine the safety of individual applications, but potentially the resilience of entire digital ecosystems.

:::info By Amit Chita, Field CTO at Mend.io

:::

\