Hey folks   

For years, application security has mostly followed the same pattern.

Run a scan.
Get a list of vulnerabilities.
Prioritize them using severity scores.