AI-Driven Code Surge Is Forcing a Rethink of AppSec
Summary
In an interview with Dark Reading, Black Duck CEO Jason Schmitt argues that AI has turbocharged software production — organisations are delivering roughly 10–20× more code than a year ago — and that traditional application security approaches cannot scale to match this pace. Schmitt frames this as the “third wave of application security”: moving beyond manual review and DevOps integration to an AI-driven model that works at speed and scale. He also stresses that AI is both a driver of risk and an essential part of the solution when embedded into development workflows to enable continuous, autonomous security.
Key Points
- Organisations are producing vastly more software (Schmitt estimates 10–20× year-on-year growth), creating scale problems for legacy AppSec tools.
- AI is expanding the attack surface and makes it easier for adversaries to find and exploit vulnerabilities.
- Schmitt calls the shift the “third wave of application security”: an AI-native approach that complements DevOps and manual testing.
- AI should be embedded into development workflows to analyse large codebases, surface business-logic flaws, and enable continuous, low-friction security checks.
- Rather than replacing existing tooling, AI enhances and accelerates it — allowing continuous, intelligent security at machine speed.
- Black Duck (formerly Software Integrity Group) remains positioned as a market leader and is using AI to adapt AppSec capabilities to the new scale of code production.
Why should I read this?
Short and sharp: if you touch AppSec, dev teams or supply-chain security, this explains why the old playbook won’t cut it. It tells you that AI isn’t just hype — it’s the reason your security tools need to be smarter and faster. Read it so you don’t get left fixing yesterday’s problems tomorrow.
Author’s take
Punchy and to the point: this is a must-see for AppSec leads and CISOs. The piece warns that scale has changed the game — if you treat AI as just another checkbox, you’ll fall behind. Schmitt’s view is clear: AI both causes and cures the problem, so start planning AI-native security controls now.
Context and relevance
This article sits squarely within several ongoing trends: rapid adoption of generative and agentic AI in development, the explosion of software outputs, and rising concerns over the software supply chain and business-logic vulnerabilities. For teams wrestling with continuous delivery, the takeaway is to prioritise AI-enabled security that integrates into developer workflows and supports autonomous, continuous testing rather than one-off scans.