The Good Tech Companies - If You’re an AppSec Engineer, You’re Lucky
Episode Date: September 26, 2025This story was originally published on HackerNoon at: https://hackernoon.com/if-youre-an-appsec-engineer-youre-lucky. AI is transforming software - and security. Discove...r why it’s the best (and hardest) time to be an AppSec engineer. Check more stories related to machine-learning at: https://hackernoon.com/c/machine-learning. You can also check exclusive content about #ai, #appsec, #ai-applications, #ai-generated-code, #secure-ai-development, #software-supply-chain, #prompt-injection, #good-company, and more. This story was written by: @mend. Learn more about this writer by checking @mend's about page, and for more stories, please visit hackernoon.com. AI is transforming software - and security. Discover why it’s the best (and hardest) time to be an AppSec engineer.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
If you're an APSEC engineer, you're lucky, by MEND. EO. We live in crazy times. AI is automating code,
and it's also automating the exploitation of vulnerabilities. Code written by AI introduces new
kinds of vulnerabilities we never imagined, alongside the same old ones, but on a much larger scale.
We don't yet know how to deal with that. Everyone is adopting new technologies, and security grows more complex as you.
human manipulation now extends to software itself. Being a security professional today is more
important THA never, and with the power of AI, you can make a greater impact than at any point
before. This article is based on three assumptions. In the coming years, 99% of code will
be written, tested, and reviewed by AI. The use of AI models embedded within software will
continue to grow. Code written by AI is not inherently safer than code written by humans. If
these assumptions hold true, the implications for application security are inormis.
AI-driven development won't eliminate risk. It will multiply it, and THE velocity of change will
leave little room for manual processes. The security profession will need to reinvent itself
to stay relevant. What change, AI is already reshaping how software gets ridden. Pull requests,
tests, even deployments, much of it is being automated. That leads to more code, produced faster.
fewer people reviewing it, the same bugs and risks we have always had. In other words,
the problems did not disappear. They are just showing up at scale. The speed of delivery has
increased dramatically, but the safety nets that traditionally caught issues, such as peer
reviews, QA cycles, and manual security testing, are shrinking. This is the paradox of AI and
software. It solves for speed, but leaves security in a constant race to keep up. Where security
fits. Almost every application security engineer I've met has tasks they wish developers would handle
for security, but those tasks are often ignored or prioritized. The tension between development
velocity and security is not new, but AI creates a new dynamic. The good news is that AI follows
instructions. It doesn't ignore Jira tickets. It doesn't argue during sprint planning. Instead of
chasing developers, you can automate fixes, automate reviews, and even automate secure development
practices. Rather than training humans, you can now provide cybersecurity prompts for agents.
We're only scratching the surface of the automation that's coming. This means the APSEC role can
shift from persuading and policing to enabling and embedding. You can literally encode secure
practices into the very fabric of how software is generated. New risks, new responsibilities.
AI also introduces new attack surfaces, prompt injection, training data poisoning, automated supply
chain abuse. Attackers are also adopting AI, and they are moving faster than traditional patch
cycles can accommodate. If remediation still takes weeks, it is not effective. The bar is now
ours. And these are not hypothetical scenarios. Early examples are already surfacing in the wild.
Imagine an automated adversary that never sleeps, scanning and exploiting vulnerabilities
at scale, and you begin to see the stakes. For APSEC engineers, this is both a challenge and an
opportunity. You're not just protecting against old threats dressed up in new clothes. You're
defining what security even means in this new era. What APSEC teams need to do. This shift changes the
job description. Build security directly into automated workflows. Automate remediation, not just
detection. Cut MTTR to hours. Monitor eye-specific threats as part of normal operations. If you're
not sure where to start, focus on reducing MTTR, but only for the findings that actually matter.
Don't waste cycles trying to fix false positives quickly.
Prioritize what you know is real and impactful.
That alone can shift how security is perceived and delivered in the organization.
Beyond that, security leaders must think about governance and accountability.
Who owns I-driven code?
Who is responsible for ensuring the I-generated logic does not introduce compliance violations or bias?
These questions move Apsic from the technical to the strategic.
The teams that answer them first will set the tone for the wrong.
rest of the industry. Conclusion, AI makes AppSecC central to how modern software is built and
secured. The work I sharder, but it is also more impactful. AppSec now has more influence
than Evertoe shape how secure software gets built. The opportunity to make a meaningful impact
across engineering and operations is real and growing. If you're an AppSec engineer today,
you're lucky. You're in the middle of the biggest transformation the field has ever seen.
Your ability to adapt, automate, and lead will not just determine the safety of individual applications, but potentially the resilience of entire digital ecosystems.
By Ahmed Chita, Field CTO at Mend, I owe thank you for listening to this Hackernoon story, read by artificial intelligence.
Visit hackernoon.com to read, write, learn and publish.