It is becoming clear that the traditional methods of application security, such as the research-vuln-patch loop and developer education, are not scaling to the demands of the modern world. As more populations come onto the internet for the very first time, and as more aspects of our lives become dependent on software, we need to change our assumptions and adjust our security model to address networks, devices, and uses that may look very different than what we have protected in the past. The manner in which we respond to this shift will define the future of modern application security and the safety of billions online.