Instead of reading pen test results as an evaluation of the application’s security, AppSec teams should use the results to evaluate how effective their efforts are in deploying training, tooling, governance, and processes.