Developers ship AI-generated code despite knowing it's riddled with vulnerabilities

Devs know AI code is riddled with holes, but ship it anyway

Pressure to deploy wins out over security as four in five orgs confess to breaches from vulnerable apps Research by AppSec biz Checkmarx finds that 70 percent of developers believe AI-generated code has more vulnerabilities, and 30 percent knowingly ship vulnerable code into production. The report is based on responses from 2,350 global developers, CISOs, and AppSec managers, and follows similar annual surveys since 2023. The number of respondents is 54 percent higher this year than last, and the increased sample size may account for a somewhat surprising statistic: the reported proportion of AI-generated production code has slightly declined, from 54 percent to 49 percent, though this is still a high figure. Production applications are also built on an open source foundation, according to the report, accounting for 59 percent of the code. These are self-reported estimates, but a lot of open source code is buried in node_modules or other library locations and it is not always secure, whether because of hard-pressed maintainers struggling to keep up with AI-discovered vulnerabilities, or malicious packages smuggled into popular package repositories such as npm and PyPI. The consequence is that software development is riskier than ever, with issues extending beyond vulnerable code to credential-stealing malware, yet the Checkmarx survey appears to show resignation, with 93 percent of respondents reporting one or more security breaches as a result of vulnerable applications - though last year the figure was 98 percent. Reasons given include pressure to deploy quickly, vulnerabilities being too difficult to fix, and reliance on other controls to pick up the pieces. "Risk is normalized," says Checkmarx in its report. The security of AI-generated code is a hot topic, particularly since, among these respondents, it accounts for around 50 percent of what is written. 70 percent report "significantly more vulnerabilities with AI-generated code," suggesting that AI is even worse than humans when it comes to overlooking security issues. It is a complex situation. AI is trained on existing code, primarily public code, which has its share of vulnerabilities that may then be replicated. The AI wave has also delivered new tools for analyzing and remediating vulnerabilities. A study last year by computer scientists from the University of Central Florida and Birzeit University in Palestine looked at how code security varied between different programming languages (Java, Python, C, and C++) and LLMs, and which vulnerabilities are most prevalent. The findings showed significant variations, with C code tending to have the most security issues, and Python the fewest, though the researchers acknowledge that LLMs are evolving rapidly and that the research is a "time-stamped view." One of the issues is that LLMs "underutilize modern language and compiler features, often favoring outdated practices over more secure alternatives." The likely reason is the prevalence of such practices in the training data. A key question is whether developers can eliminate vulnerabilities using tooling, including old-style static analysis and newer AI-driven options. According to Checkmarx, they could but often do not. "The tools do the work, but organizations lack in translating this into process," the company reports. As Veracode has also reported, AI assistance is driving up the pace of development and security practices cannot keep up. The Checkmarx researchers state: "AI code volume correlates directly with vulnerable code deployment, which correlates directly with breach frequency." Specifically, "organizations where 81-100 percent of code is AI-generated ship vulnerable code at 3.4x the rate of those at 1-20 percent adoption" - a high price to pay for accelerated development. ®

Enterprises know AI-generated code is vulnerable; they're shipping it anyway

It's a dangerous game to play at the dawn of the agentic AI era, as underscored in a new report from app security company Checkmarx. The survey of thousands of security leaders exposes an underlying naivete about AI-built code and its vulnerabilities, even as tools like Anthropic's Mythos are uncovering security flaws orders of magnitude faster than any human security team could ever hope to. "Mythos-class models collapse the window between a vulnerability existing and a working exploit being available from months to minutes," the report notes. Enterprises relying on traditional security tools and methods, it says, "cannot survive this reality." Security as an afterthought Checkmarx's survey of 2,350 CISOs, AppSec managers, and developers across 14 countries focused on how much AI-developed code enterprises are deploying, the vulnerabilities it introduces, how it impacts developer workflows, and overall sentiment about AI code and security posture. Today, nearly half of production code is AI-generated, and the majority of enterprises also report that at least half their codebase is made up of open-source components, according to the report.