Video Interviews 

Why AppSec Can’t Keep Up With AI-Generated Code

Avatar photo by Alan Shimel on December 19, 2025

StackHawk co-founder and CSO Scott Gerlach has spent most of his career running security teams, and his take on application security is shaped by a simple reality: developers are still too often the last to know when their code ships with risk. Gerlach explains why that gap has widened in the age of modern CI/CD, and why AI is now pouring gasoline on the problem.

As release velocity climbed to multiple deployments per week, traditional approaches to application security testing (often centered on periodic production checks) stopped scaling. At the same time, engineering teams are increasingly using LLMs and coding agents to generate far more code, far faster. Even if AI-written code is approaching parity with human-written code in terms of vulnerabilities, Gerlach argues the bigger issue is volume and speed: AppSec programs haven’t evolved at anything close to an 8x or 10x pace.

Gerlach emphasizes that some of the most damaging risks today don’t stem from obvious coding errors, but from flaws in business logic — particularly in APIs. Authorization failures, cross-tenant data exposure, and misuse of legitimate functionality remain difficult to detect without exercising how an application actually behaves. These issues rarely surface through static analysis alone and often emerge only when systems are tested as users — or attackers — would interact with them.

The challenge for security teams is prioritization. With limited time and resources, testing everything is neither practical nor effective. Instead, organizations must focus on areas where change is frequent, sensitive data is handled, or APIs act as the connective tissue between services. Behavioral testing, guided by an understanding of intended system use, becomes essential in this context.

Ultimately, Gerlach frames the goal of modern application security as enablement rather than obstruction. When security insight keeps pace with development speed, teams can shift from slowing releases to confidently supporting them — allowing organizations to move faster without sacrificing trust or resilience.

Alan Shimel , , ,
Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 171 posts and counting.See all posts by alan