The patching treadmill: Why traditional application security is no longer enough

2026-05-11 · Source: News and Advice on the World's Latest Innovations | ZDNET · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning · Depth: Intermediate, medium

Summary

Traditional application security models, characterized by "find-and-fix" and "defend-and-defer" approaches, are becoming obsolete due to the rapid pace of modern software development, especially with continuous integration/continuous deployment (CI/CD) and AI-assisted coding. The article highlights that development teams are overwhelmed by vulnerability backlogs, with network issues taking 54 days and web apps nearly 75 days to fix on average. Verizon's 2025 Data Breach Incident Report indicates that 20% of initial system access by threat actors comes from code vulnerabilities, a 34% increase from the previous year. Furthermore, 32.1% of known exploited vulnerabilities (KEVs) had exploitation evidence before their Common Vulnerabilities and Exposures (CVE) were issued, meaning attackers often know about flaws before developers. This necessitates a shift in application security to integrate earlier into the code creation process, rather than relying solely on reactive post-release patching.

Key takeaway

For AI Architects and CTOs overseeing rapid development cycles, your current "find-and-fix" and "defend-and-defer" security strategies are likely unsustainable. The accelerating pace of AI-assisted coding and CI/CD pipelines means vulnerabilities are introduced faster than they can be patched, increasing breach risk. You must shift security left, embedding it into the code creation process to prevent issues rather than react to them, reducing costly context switching and vulnerability backlogs.

Key insights

Reactive security models are insufficient for modern, fast-paced, AI-assisted software development, demanding a shift left.

Principles

• Security must integrate into code creation.
• Reactive patching creates unsustainable backlogs.
• AI accelerates code generation, not security review.

In practice

• Prioritize security earlier in the SDLC.
• Reduce reliance on post-release patching.
• Address AI-generated code security proactively.

Topics

• Application Security
• Vulnerability Management
• CI/CD Pipelines
• AI-Assisted Development
• Software Supply Chain

Best for: AI Architect, CTO, VP of Engineering/Data, Software Engineer, AI Security Engineer, MLOps Engineer

Related on AIssential

• 😸 A patch wave is coming for your software — AI is accelerating vulnerability discovery, creating a "patch wave" that current security infrastructures cannot handle.
• Code Risk Intelligence: Securing AI Coding at Scale in Real Time — AI-assisted coding necessitates embedding security intelligence directly into the developer workflow to manage new risks.
• Over 80% of Organizations that Miss 24-Hour Patch Window Report Security Incidents Involving Known Vulnerabilities — Runtime protection and rapid mitigation are critical as AI shrinks vulnerability exploitation windows.
• # The Unfixed Code: From Greenspan’s Memory Save to AI-Guided War — Systemic software vulnerabilities are deliberate features designed for centralized control and weaponization, not accidental bugs.
• Harden your pipeline perimeter for the era of AI-assisted coding — Modern development pipelines require a unified control plane to secure the convergence of human, AI, and third-party code.
• Why modern software development begins at the application layer — Application security must shift left, integrating early into development to counter accelerating delivery and AI-introduced vulnerabilities.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by News and Advice on the World's Latest Innovations | ZDNET.