Over the past 20 years there have been a dozen different major theories on how you should implement an application security program. Yet the average number of serious vulnerabilities in web applications today is 28.6, almost exactly what it was in 2003 when the first OWASP Top Ten was released. Even the risks in the Top Ten itself haven’t changed. With the era of Digital Transformation, Cloud, and DevOps things only look more grim. The answer is a new modern approach to achieving application security that directly measures security outcomes instead of indirect measurements of processes or teams.