The following article summarizes a recent SC webcast discussion between Host Mike Shema and Daniel Berman, Director of Product Marketing at Snyk. They delve into how to build a modern AppSec program that prioritizes risk, not noise. Key to this approach is integrating security seamlessly into developer workflows. Tools should provide clear, prioritized guidance that helps developers understand:Modern AppSec tools are evolving from simple scanners into comprehensive platforms that offer:The future of application security isn't about catching every vulnerability, but about intelligently managing risk.Organizations should start small, focusing on business-critical applications and demonstrating tangible risk reduction.By showing concrete results, AppSec teams can build confidence across development and leadership. The key metrics are no longer simply the number of vulnerabilities found and fixed, but:As Berman concludes, the goal is to give developers more time to do what they do best: create innovative code that drives business value.
The overwhelming challenge of modern AppSec
Application security teams are drowning in a sea of vulnerabilities. The CVE program has grown from 321 entries in 1999 to over 280,000 today, creating an impossible task for security professionals.Daniel Berman from Snyk highlighted the core problem: Development teams are building applications faster than ever, with AI accelerating the pace even further, while applications become increasingly complex webs of microservices, APIs, and cloud services.Traditional security approaches have become obsolete. Scanning tools generate massive lists of findings that are disconnected from actual business context, leaving AppSec teams manually piecing together risk assessments. The old model of creating lengthy vulnerability lists and handing them to developers creates bottlenecks, mistrust, and significantly slows down development processes.A risk-based approach to security
The solution lies in a fundamentally different approach: prioritizing risk over volume. Instead of trying to fix every single vulnerability, organizations need to develop a comprehensive understanding of their applications. This means implementing an asset-first strategy that considers multiple layers of context:- Technical Context: Understanding the specific security issues
- Runtime Context: Identifying whether an asset is deployed in production or is public-facing
- Business Context: Determining the critical importance of specific applications and microservices
- Why a specific issue matters
- The potential business impact
- Exactly how to fix the problem
- Automated risk assessment
- Contextual prioritization
- Easy-to-implement fixes
- Integration with developer environments
The AI revolution in application security
Artificial intelligence is both amplifying security challenges and providing new solutions. AI-generated code introduces additional complexity, potentially creating vulnerabilities at an unprecedented scale. However, AI also offers powerful tools for AppSec teams, including:- Advanced risk calculation models
- Automated threat modeling
- Intelligent policy enforcement
- Comprehensive risk graph generation
- Development velocity
- Developer satisfaction
- Scanning coverage of critical assets
- Actual risk mitigation





