ZDNET: Traditional app security broken by AI speed and CI/CD
Vulnerability backlogs and continuous deployment render find-and-fix obsolete.
ZDNET's special feature declares the old application security playbook broken. The 'patching treadmill' of find-and-fix cycles—where flaws are caught after shipping and patched reactively—no longer works. Continuous integration/continuous deployment (CI/CD) delivers updates constantly, and AI-assisted coding accelerates output, spawning vulnerabilities faster than teams can triage. Defend-and-defer practices (firewalls, monitoring, compensating controls) merely wallpaper over deep-seated code issues, leaving root causes intact.
The article calls for a fundamental shift: move security into code creation itself. Instead of bolting on fixes post-release, organizations must embed security checks during development—using static analysis, secure-by-design patterns, and AI guardrails. While find-and-fix and defend-and-defer will never fully vanish (unexpected behavior always occurs), they are no longer sufficient as primary strategies. The pace of modern development demands proactive, integrated security from the first line of code.
- CI/CD pipelines and AI-assisted coding produce releases faster than traditional security reviews can handle.
- Find-and-fix cycles create overwhelming vulnerability backlogs, pulling developers away from new work.
- Defend-and-defer practices (e.g., firewalls, access restrictions) mask flaws but don't resolve root causes in older code.
Why It Matters
Development teams must embed security into code creation or risk being outpaced by AI-generated vulnerabilities.