"and this mess is so big and so deep and so tall - we can not pick it up, there is no way at all" – Dr. SeussThe evolution of application security coincides, for the most part, with the innovations in the realm of applications themselves. When characterizing each of these chapters, we see that while the techniques and tools of application security may have changed, the challenge has remained the same – AppSec is always playing catch-up. Is there anything we can do as AppSec professionals to change this vicious cycle? In order to better secure our future, we must first look at the past.This presentation will define, for the first time, the four major transformation periods of application security:1. Primordial Terminal Applications2. Thick Application Clients3. The Web Application Era4. Mobile, SPA & Cloud Native Applications.We will review the mistakes we have made as AppSec practitioners and the impact we’ve had on each transformation stage. But most of all, we will ask the critical question– why do we have more problems today in AppSec yet so many more security solutions and innovations? The answer lies in the fact that although we’ve tried, AppSec still evolves at a slower pace than engineers in application development.We will always need application security– just as a door needs a lock and a yard needs a fence. It’s the classic game of offense and defense: innovation will spur incredible progress in application development, which in turn will surface new vulnerabilities, attack vectors and challenges. As AppSec professionals, now is the moment to tie the game and stop playing catch-up.So although demoralized, we are not defeated!The final part of my presentation will discuss the ways in which AppSec can become as agile as development and transform!But in order to pave the road for this future, we must learn important lessons from our past. Welcome to AppSec story time!