Login / Sign Up
process management blog posts
Contributed on October 29, 2025
1

Cybersecurity Month wrap-up: Fix critical AppSec issues in the build phase

Blog: OpenText Blogs

The CISO’s dilemma

CISOs and application security leaders today are under pressure from all directions. Attack surfaces continue to expand with APIs, mobile apps, and AI-enabled development multiplying the number of potential entry points Gartner CISO Guide. Regulatory expectations are mounting, with new mandates requiring organizations to prove not just that they fix vulnerabilities, but that they do so quickly and consistently.

And then there’s the backlog. Every AppSec leader knows it: thousands of issues sitting unresolved, piling up release after release, undermining risk management goals and creating friction between security and development.

The reality is that traditional, late-stage security testing is no longer sustainable. By the time vulnerabilities surface, fixing them costs more, slows delivery, and leaves the business exposed. What’s needed is a shift in mindset, from managing backlogs to preventing them in the first place.

That’s where build-phase security comes in.

The true cost of late fixes

For years, the software industry has known that the cost of fixing vulnerabilities increases dramatically the later they are discovered in the SDLC. Estimates vary, but a commonly cited figure is that post-production fixes cost 10x more than fixes during coding or build.

This cost manifests in multiple ways:

  • Developer inefficiency: Developers pulled away from current work to revisit old code lose productivity and velocity.
  • Operational overhead: Emergency patching cycles consume precious IT resources and often create downtime risks.
  • Customer trust and brand damage: Vulnerabilities discovered in production aren’t just technical issues, they’re reputational liabilities.

By shifting vulnerability discovery and remediation into the build phase, organizations address these costs head-on. Developers fix issues while the context is fresh. Security becomes part of the development rhythm, not an afterthought. And CISOs can demonstrate to the board that security investments are directly reducing operating costs and business risk.

From reactive to proactive risk reduction

Backlogs are more than a resource problem, they are a risk problem. Every unresolved critical or high-severity vulnerability represents a potential breach, compliance failure, or reputational crisis.

Build-phase security flips the equation. Instead of chasing down issues after code has shipped, organizations can stop entire classes of vulnerabilities before they ever reach production. With modern tools like OpenText™ SAST, OpenText DAST, and OpenText SCA integrated into CI/CD pipelines, teams can catch:

  • Injection flaws in custom code
  • Insecure open-source dependencies
  • API misconfigurations
  • Secrets and IaC weaknesses

All before the application ever leaves development.

The business impact is significant: fewer exploitable issues in production, reduced attack surface, and measurable progress toward enterprise risk reduction goals. For boards and regulators asking, “How do we know we’re safer this quarter than last?”—this is the answer.

The compliance imperative

Compliance is no longer a box-ticking exercise. Frameworks such as GDPR, PCI DSS, and sector-specific mandates now expect demonstrable secure development practices and continuous risk management.

Build-phase security provides a compliance advantage in three ways:

  1. Continuous proof: Integrated testing creates an audit trail showing that vulnerabilities were identified and remediated before release.
  2. Policy-driven governance: Automated rules in the pipeline enforce compliance standards, such as blocking releases with unresolved critical issues, removing subjectivity.
  3. Scalability: Instead of scrambling before audits, organizations maintain a state of continuous compliance, reducing fire drills and audit fatigue.

For CISOs, this is a chance to transform compliance from a burden into a competitive differentiator.

The role of AI in accelerating results

One of the historic challenges of shifting left has been the burden on developers. False positives, noisy scans, and unintuitive tools create resistance. But modern advances—particularly AI-powered auditing and remediation—are changing the equation.

With OpenText™ SAST Aviator, security teams can:

  • Filter out false positives with human-level accuracy.
  • Provide contextual explanations in plain language for why an issue matters.
  • Offer copy-paste remediation guidance for true positives.

This means developers spend less time wading through noise and more time fixing real issues. For AppSec leaders, it’s a direct productivity and ROI gain: the same teams can handle more vulnerabilities, faster, without burnout.

Breaking through the backlog

How do organizations actually move from backlog to breakthrough? Successful programs share a few common steps:

  1. Bake security into the pipeline: Integrate OpenText SAST, DAST, and SCA directly into CI/CD workflows so vulnerabilities are identified automatically at build time.
  2. Set clear “stop the build” policies: Define thresholds (e.g., no release with critical vulns) and enforce them consistently.
  3. Empower developers: Equip dev teams with contextual remediation advice and secure coding training to build resilience against future vulnerabilities.
  4. Measure and report: Track not just vulnerability counts, but mean time-to-remediate, percentage of issues fixed pre-release, and compliance pass rates.
  5. Continuously improve: Use OpenText ASPM dashboards and risk analytics to refine policies, prioritize investments, and demonstrate ongoing ROI.

The leadership mandate

For CISOs and security executives, the mandate is clear: application security can no longer be an afterthought or a siloed program. It must be an enabler of innovation and a measurable driver of risk reduction .

Shifting vulnerability remediation into the build phase achieves all three objectives:

  • Financial: Lower remediation costs and faster ROI on security investments.
  • Risk-based: Fewer vulnerabilities in production, reducing the likelihood of breaches and compliance failures.
  • Regulatory: Continuous compliance with an auditable trail that satisfies regulators and customers alike.

From backlog to breakthrough: A call to action

The old approach, letting vulnerabilities pile up and hoping security teams can catch up, no longer works. The backlog is not just a technical problem; it’s a business risk.

CISOs who embrace build-phase security can move their organizations from firefighting mode to proactive resilience. They can turn AppSec from a cost center into a value driver, demonstrating clear returns to executives and boards.

It’s time to stop thinking in terms of vulnerability backlog. The breakthrough is here: fix it in build with OpenText Application Security, and stop vulnerabilities before they ever become a business problem. And check out 5 AppSec Trends You Can’t Ignore.

It’s time to stop thinking in terms of vulnerability backlog. The breakthrough is here: fix it in build and stop vulnerabilities before they ever become a business problem.

The post Cybersecurity Month wrap-up: Fix critical AppSec issues in the build phase appeared first on OpenText Blogs.