SK
Back to Articles

The More Things Change: 18 Years of AppSec in the Trenches 

2025-12-2825 min read
Share:
The More Things Change: 18 Years of AppSec in the Trenches

After 18 years in Application Security across Finance, Telecom, and Oil & Gas, I've seen tools transform while fundamental challenges remain eternal. From SQL injection to prompt injection, from monolithic banking apps to AI agents—the friction between velocity and safety never changes.

Opening Scene: 2008 vs. 2026

2008: I'm sitting in a conference room with a frustrated Java developer, arguing about a stored procedure fix for SQL injection in a monolithic banking application. The release cycle is six months. The developer insists parameterized queries will "slow down the database." I show him the OWASP Top 10 2007 printed on paper. He reluctantly agrees. We schedule the fix for the next quarterly release.

2026: I'm on a Zoom call with a Prompt Engineer, arguing about input sanitization for an unconstrained LLM agent running in a Kubernetes cluster. The release cycle is six minutes. The engineer insists context validation will "limit the AI's creativity." I share a link to the OWASP LLM Top 10. They reluctantly agree. The fix deploys in the next sprint... which ends tomorrow.

The thesis: The tools, the speed, and the acronyms have changed completely. But the fundamental friction—innovation versus control, velocity versus safety—remains exactly the same. After 18 years in Application Security, spanning three continents and three heavily regulated industries (Finance, Telecommunications, and Oil & Gas), I've learned that some things transform while others are eternal. Here's what I've seen.

What HAS Changed: The Transformation

1. The "Whose Job Is It?" Shift

Then (2008-2012): Security was the Security Team's job. We were the "Department of No," the gatekeepers who showed up three weeks before go-live with a 47-page penetration test report. Developers saw us as obstacles. We saw them as reckless.

Now (2026): Security is the Developer's job. Or the Platform Team's job. Or the SRE's job. The term "DevSecOps" emerged around 2015, born from the realization that you cannot pentest your way out of a backlog when teams deploy 50 times a day. Security shifted from a gate to a guardrail—automated into CI/CD pipelines, embedded in IDEs, and (ideally) invisible to the developer unless something breaks. The cultural shift is real: in 2008, suggesting that developers "own security" would have been laughed out of the room. In 2026, it's table stakes.

2. The Attack Surface Explosion (Industry-Specific Realities)

Finance: From "Guard the Vault" to "Guard the API"

In 2008, banking security was about protecting the vault—literal data centers with physical access controls, hardware firewalls, and the assumption that the perimeter was the battleground. By 2019, Open Banking regulations (PSD2 in Europe, similar frameworks globally) forced us to poke holes in those firewalls and expose APIs to third parties. The Capital One breach that year—where a misconfigured WAF allowed an SSRF attack to dump 100 million customer records—proved that cloud configuration is application security now. The attack surface didn't just grow; it evaporated the perimeter entirely.

Telecom: From Proprietary Hardware to "Spicy Kubernetes"

In 2010, Telco security was about protecting proprietary systems—SS7 networks, closed signaling protocols, the "walled garden" myth. When SS7 vulnerabilities were publicly demonstrated in 2014, proving that global call/SMS tracking was trivial, the industry realized the walls were cardboard. By 2025, 5G Standalone networks deployed globally. The core network is now "Service Based Architecture" (SBA)—essentially microservices communicating via HTTP/2 and JSON. A modern 5G core is just a very expensive Kubernetes cluster with REST APIs. The 2022 Optus breach in Australia (an unauthenticated API endpoint exposing 10 million customers) was the wake-up call: Telcos are now software companies, whether they're ready or not.

Oil & Gas: From Air-Gapped Safety to "Connected Refineries"

In 2010, Operational Technology (OT) security relied on the air-gap myth—the belief that industrial control systems were physically separated from IT networks and thus safe. Stuxnet (2010) shattered that illusion by bridging the "air gap" via infected USB drives and supply chain compromise, sabotaging Iranian nuclear centrifuges via malicious PLC firmware. Then came TRITON in 2017—malware that targeted Safety Instrumented Systems (SIS) at a Saudi petrochemical plant. This wasn't malware designed to steal data. It was designed to disable safety shutdowns and potentially kill people. The Colonial Pipeline ransomware attack in 2021—where a leaked VPN password on an IT network shut down the largest fuel pipeline in the US—proved that IT and OT are one network now. You cannot secure the refinery without securing the billing system that connects to it.

3. The Regulatory Hammer: From Checkbox to Boardroom

Then: PCI DSS v1.2 (2008) was the bible. Compliance meant filling out spreadsheets and paying for annual audits. Security was a line item.

Now: GDPR (2018), DORA in the EU (2024), and SEC 4-day breach disclosure rules (2023) turned compliance into a survival metric. Boards now ask CISOs directly: "Are we going to get fined? Are we going to lose our license?" The Equifax breach (2017)—where failure to patch a six-month-old Apache Struts vulnerability exposed 147.9 million people—resulted in a $700 million settlement and made "software supply chain" a boardroom phrase.

What HASN'T Changed: The Hard Truths

1. Injection is Forever

The Pattern of Pain:

  • 2008: SQL Injection was king. The Heartland Payment Systems breach (130 million cards stolen via SQLi) taught everyone to use parameterized queries.
  • 2014: We "solved" SQLi, then replaced it with Command Injection and XML External Entity attacks.
  • 2021: Log4Shell (Log4j) proved that even logging libraries could execute untrusted input via JNDI lookups, affecting half the internet within 24 hours.
  • 2026: Prompt Injection is the new SQLi. LLM agents happily execute malicious instructions embedded in user input, emails, or even web pages they browse.

The lesson: The vulnerability class never dies. "Untrusted input → execution" is the cockroach of AppSec. We keep building new execution engines (databases, shells, loggers, AI models), and attackers keep finding ways to smuggle instructions through input fields.

2. Asset Inventory is Still a Nightmare

2008: "We don't know which servers we own."

2026: "We don't know which API endpoints are exposed" or "We don't know which AI agents are running in production."

The problem mutates but never dies:

  • In Finance, it's shadow APIs created by business units who "just need to move fast."
  • In Telco, it's shadow network functions deployed by engineers who bypassed the approval process.
  • In Oil & Gas, it's shadow OT—field engineers plugging 4G modems into PLCs because the corporate network is "too slow."

If you don't know what you have, you can't secure it. This was true in 2008. It's true in 2026. It will be true in 2035.

3. Business Logic Flaws > Tools

In 2016, the SWIFT Banking heist stole $81 million from Bangladesh Bank. The attackers didn't exploit a CVE. They exploited business logic: "The system allows transferring money even if the approval workflow is bypassed."

SAST, DAST, IAST, SCA, and now AI-powered code scanners—none of them can reliably find logic flaws like:

  • "User A can transfer money from Account B without owning Account B."
  • "The admin panel is accessible without authentication if you know the URL."
  • "The refund API doesn't validate that the original payment succeeded."

These require human expertise, threat modeling, and understanding the business domain. No tool vendor wants to admit this, but it's true.

4. The "Security Slows Us Down" Lie

2008: "We can't add input validation; it will delay the release."

2026: "We can't enable runtime protection; it will slow down the AI agent."

Eighteen years later, we're still having the same argument. And we still haven't fully convinced the business that:

  • The Equifax breach cost $700 million.
  • The Colonial Pipeline attack cost $4.4 million in ransom plus weeks of operational shutdown.
  • The reputational damage from a breach costs far more than the upfront investment in secure defaults.

Speed without safety is just recklessness with a Jira ticket.

The 2026 Pivot: Where Do We Go From Here?

The New Threat: AI-Generated Code

By 2026, conservative estimates suggest 40%+ of production code is AI-generated. GitHub Copilot, ChatGPT, and Claude are writing functions, APIs, and even entire microservices. The vulnerability backlog is now growing faster than humans can review it.

We're shifting from "Code Quality" to "Code Provenance":

  • Did a human review this?
  • Which AI model generated it?
  • What training data influenced it?
  • Can we trust code we didn't write and don't fully understand?

The Industry Outlook

Banks: Must prepare for Post-Quantum Cryptography (PQC) migration. The "Harvest Now, Decrypt Later" threat is real—adversaries are stealing encrypted data today to decrypt in 5-10 years when quantum computers mature.

Telcos: Must secure "Network as Code" before 6G arrives. If 5G cores are "spicy Kubernetes," 6G will be "Kubernetes on steroids with AI orchestration." The attack surface will be enormous.

Oil & Gas: Must accept that IT and OT are one network and defend them as such. The next TRITON won't target safety systems in isolation—it will pivot from IT to OT through the digital twin of the refinery.

Final Wisdom: Stop Chasing the Shiny Tool

After 18 years, I've learned to focus on three things:

  1. Know what you have (Asset Inventory): You can't secure what you don't know exists.
  2. Kill vulnerability classes, not individual bugs (Secure Defaults): Don't patch SQLi in 1,000 endpoints—enforce parameterized queries everywhere.
  3. Assume Breach (Resilience): Detection, response, and recovery matter more than prevention alone.

The tools will change. The frameworks will evolve. The acronyms will multiply. But the principles are eternal.

Conclusion: The 20-Year Veteran's Vow

I will not panic about AI-generated code. I survived the Cloud migration when everyone said "you can't trust someone else's servers." I survived the Mobile explosion when everyone panicked about "BYOD." I survived the Agile transformation when everyone claimed "security can't keep up with two-week sprints."

We will secure this too—provided we remember the lessons of the last 18 years:

  • Injection vulnerabilities never die; they just change disguises.
  • The human factor (misconfiguration, credential reuse, unpatched systems) remains the weakest link.
  • Regulation and breaches, not innovation, drive security investment.
  • The friction between velocity and safety is permanent—our job is to minimize it, not eliminate it.

If you're in AppSec, strap in. The next 18 years will be even wilder. But the fundamentals? Those don't change.

What's been your biggest "the more things change" moment in security?

View All Articles
2026 © Santhosh Kumar. All Rights Reserved.