Developers Ship AI-Generated Code Despite Knowing It's Riddled With Security Vulnerabilities

3 Sources

Share

A Checkmarx survey of 2,350 developers and security leaders reveals 70% believe AI-generated code contains more security vulnerabilities than human-written code. Yet pressure to deploy quickly means 30% knowingly ship vulnerable code into production. With AI now accounting for nearly half of all production code, organizations face a critical gap between development speed and security oversight.

Developers Acknowledge AI Code Riddled With Holes

A stark reality is emerging across software development teams: AI-generated code is creating security vulnerabilities faster than organizations can address them. Research from application security company Checkmarx surveyed 2,350 global developers, CISOs, and AppSec managers, revealing that 70 percent believe AI-generated code contains significantly more security vulnerabilities compared to human-written code . Despite this awareness, 30 percent of developers knowingly ship vulnerable code into production, driven by relentless pressure to deploy quickly .

Source: TechRadar

Source: TechRadar

The survey found that AI-generated code now accounts for approximately 49 percent of production applications, a slight decline from 54 percent reported last year but still representing nearly half of all code being written . Combined with the fact that 59 percent of production code comes from open source foundations, the software supply chain has become increasingly complex and vulnerable .

The AI Coding Boom Security Headaches Multiply

The consequences of deploying vulnerable AI-generated code are already materializing. A staggering 93 percent of survey respondents reported experiencing one or more security breaches as a result of vulnerable applications, though this represents a slight improvement from 98 percent the previous year . Checkmarx describes the situation bluntly: "Risk is normalized" .

Source: The Register

Source: The Register

Separate research from Salt Security found that 90 percent of security leaders now express active concerns about security risks of AI-generated software

3

. Nearly one-third identified insecure coding patterns as the primary risk introduced by AI coding assistants

3

. The root cause lies in flawed training data: AI systems learn from massive datasets containing their own vulnerabilities and outdated practices, then replicate these issues in newly generated code

3

.

Manual Code Reviews Cannot Keep Pace With Accelerated Development

Despite widespread recognition of these risks, more than one-third of organizations still depend on manual code reviews before launch

3

. This approach creates a fundamental mismatch: human reviewers cannot inspect code at the volume and speed that AI produces it. Roey Eliyahu, CEO of Salt Security, noted that "most organisations recognise the risks, but many are still trying to manage AI-generated code using security processes designed for a pre-AI world"

3

.

Checkmarx found a direct correlation between AI adoption and risk: organizations where 81 to 100 percent of code is AI-generated ship vulnerable code at 3.4 times the rate of those with only 1 to 20 percent AI adoption . The company states that while security tools exist and can perform the necessary analysis, "organizations lack in translating this into process" . AI assistance drives up development pace, but security practices and remediation efforts cannot keep up.

Governance Challenges Intensify in the Agentic AI Era

The timing of these security gaps proves particularly dangerous as tools like Anthropic's Mythos demonstrate the ability to uncover security flaws orders of magnitude faster than human security teams . According to Checkmarx, "Mythos-class models collapse the window between a vulnerability existing and a working exploit being available from months to minutes," warning that enterprises relying on traditional security methods "cannot survive this reality" .

Larger organizations with more than 500 employees face particularly acute governance challenges. Distributed teams use different tools, follow varied workflows, and apply security standards inconsistently across regions

3

. Research from the University of Central Florida and Birzeit University examining code security across different programming languages found that large language models "underutilize modern language and compiler features, often favoring outdated practices over more secure alternatives" due to the prevalence of such patterns in training data . Treating AI coding assistants as components of the software supply chain, similar to vetting third-party dependencies, offers a more realistic path forward than relying on manual review alone

3

.

Today's Top Stories

© 2026 TheOutpost.AI All rights reserved