How IBM and Contrast Security are redefining application security: Securing the AI era of application development
Lead-in sentence: Enterprise leaders are making two decisions simultaneously. They are betting on AI to drive future growth and bracing for the security consequences of that choice.
The IBM Institute for Business Value found that 79% of executives expect a significant portion of their revenue to come from AI-assisted or AI-generated products by 2030. Another IBM study found that 96% believe that adopting generative AI will lead to a security breach within the year.
That tension is already showing up inside application security programs. AI is entering application development and organizations need to use AI to secure their environments as well. , IBM and Contrast Security laid out what leading organizations are doing in response and why the traditional model is no longer sufficient.
Application security, for the past two decades, has been focused on finding vulnerabilities earlier in the lifecycle. Since 2001, we’ve been shifting as an industry. SAST. DAST. Pipeline controls. All widely deployed. Even so, attacks continue to reach production.
Untrusted deserialization. Zero days. AI-assisted attack techniques. These gaps are not theoretical—they are active paths attackers use today. The reason is simple. Most controls are still tuned to detect issues before runtime or observe behavior at the perimeter.
No organization relies on a perimeter firewall alone to protect their devices; they layer endpoint detection behind it. However, at the application layer, most environments still stop at the WAF. If we take that same idea and bring it to the application layer, organizations will have a WAF in place, but nothing operating within the application itself. That gap is what modern attacks exploit.
IBM is addressing that gap by treating application security as a continuous, operational system—not a pre-release checkpoint.
IBM outlined three areas defining this model:
- AI-based DevSecOps: Securing the software lifecycle as AI-assisted development becomes standard
-Continuous runtime security: Observing and protecting applications under real production conditions
-Identity governance for non-human actors: Managing keys, secrets and AI agents that operate on behalf of users and systems
After you build an application, the next step is to secure it at runtime. Organizations must continuously monitor the threats targeting their applications.
There is a rapidly expanding challenge: When an agent performs automated actions on your behalf, it must have an identity that is tracked and auditable. This transition reflects a fundamental shift. Applications are no longer static assets. They are dynamic systems—built with AI, interacting through APIs and increasingly driven by autonomous processes that introduce new forms of risk.
IBM’s approach brings these elements together through AI-driven security operations, integrated workflows and a partner ecosystem designed to provide specialized technical capabilities as needed.
The missing layer in most environments is visibility and control inside the running application itself. Here is where Contrast Security plays a critical role in IBM’s model. Contrast instruments applications from within, observing how code executes, how data flows and how attacks behave in real time. This approach is fundamentally different from perimeter inspection or static analysis. It is behavioral, contextual and tied to what is happening in production.
That visibility enables a different kind of response. When a vulnerability is identified, developers are not left to interpret alerts or search through tickets. They are given actionable guidance tied directly to the code and execution path. Contrast’s SmartFix capability takes this model further by generating remediation directly into the developer workflow. Instead of filing a ticket, SmartFix creates a pull request within GitHub (with support for Bitbucket and GitLab), proposing a code-level fix for developers to review and merge.
What once took eight or nine hours to verify now takes three minutes to generate a pull request and resolve the vulnerability.
Contrast’s MCP server extends this model into AI-assisted development environments. Developers working in VS Code with tools like GitHub Copilot can query runtime security data directly. They can ask which vulnerabilities exist in their code, what is exploitable or how specific API routes behave under real traffic conditions.
The result is a security context that is no longer separated from development. It is embedded directly into the tools developers already use and relies on real runtime evidence instead of static assumptions. IBM connects that application-layer telemetry into broader detection and response workflows, tying runtime signals to SIEM platforms and security operations processes that most organizations already run.
For most organizations, application security has been built around prediction. Find vulnerabilities early. Prioritize them. Fix what you can. That model assumed there would be time to triage, time to validate and time to remediate. AI removes time from the equation. Code is produced faster, attack techniques evolve faster and the window between exposure and exploitation continues to shrink.
The response cannot be to scan more or prioritize better within the same model. It requires a paradigm that sees what is happening in real time, understands what matters in production and can act fast enough to change the outcome. That paradigm is what IBM is building today. It’s exactly why runtime visibility, AI-assisted remediation and integrated security operations are no longer optional—they are foundational.