Over the past two decades we have seen an evolution of the application development and deployment landscape including the transitioning from an on-premise environment to a cloud-based one, which transformed the way development teams work, now heavily relying on continuous integration and continuous delivery. This has presented new challenges for application security, with a transition to a DevSecOps model where security gets integrated at all levels of the software process. Thus, one has to address a variety of constraints when integrating application security tools.

In this talk I summarise our experience over the past two decades on our work on detecting vulnerabilities in applications in both first-party and third-code code. This includes our research and productisation of the research that has been deployed on systems that are over billions of lines of code. Some of the points that enabled this large scale deployment were considerations of precision of results and limiting the resources required by these tools. The data we have gathered from our deployments provide various insights during the past years leading to the development of the Intelligent Application Security (IAS) vision, namely, to develop an integrated approach to improving application security tools with actionable intelligence. The future of these security-related tools demand actionable intelligence to be integrated into the developer workflow, in order to improve developer productivity and facilitate security tools to be used more broadly "under the hood”.