3 Sources
[1]
Devs know AI code is riddled with holes, but ship it anyway
Pressure to deploy wins out over security as four in five orgs confess to breaches from vulnerable apps Research by AppSec biz Checkmarx finds that 70 percent of developers believe AI-generated code has more vulnerabilities, and 30 percent knowingly ship vulnerable code into production. The report is based on responses from 2,350 global developers, CISOs, and AppSec managers, and follows similar annual surveys since 2023. The number of respondents is 54 percent higher this year than last, and the increased sample size may account for a somewhat surprising statistic: the reported proportion of AI-generated production code has slightly declined, from 54 percent to 49 percent, though this is still a high figure. Production applications are also built on an open source foundation, according to the report, accounting for 59 percent of the code. These are self-reported estimates, but a lot of open source code is buried in node_modules or other library locations and it is not always secure, whether because of hard-pressed maintainers struggling to keep up with AI-discovered vulnerabilities, or malicious packages smuggled into popular package repositories such as npm and PyPI. The consequence is that software development is riskier than ever, with issues extending beyond vulnerable code to credential-stealing malware, yet the Checkmarx survey appears to show resignation, with 93 percent of respondents reporting one or more security breaches as a result of vulnerable applications - though last year the figure was 98 percent. Reasons given include pressure to deploy quickly, vulnerabilities being too difficult to fix, and reliance on other controls to pick up the pieces. "Risk is normalized," says Checkmarx in its report. The security of AI-generated code is a hot topic, particularly since, among these respondents, it accounts for around 50 percent of what is written. 70 percent report "significantly more vulnerabilities with AI-generated code," suggesting that AI is even worse than humans when it comes to overlooking security issues. It is a complex situation. AI is trained on existing code, primarily public code, which has its share of vulnerabilities that may then be replicated. The AI wave has also delivered new tools for analyzing and remediating vulnerabilities. A study last year by computer scientists from the University of Central Florida and Birzeit University in Palestine looked at how code security varied between different programming languages (Java, Python, C, and C++) and LLMs, and which vulnerabilities are most prevalent. The findings showed significant variations, with C code tending to have the most security issues, and Python the fewest, though the researchers acknowledge that LLMs are evolving rapidly and that the research is a "time-stamped view." One of the issues is that LLMs "underutilize modern language and compiler features, often favoring outdated practices over more secure alternatives." The likely reason is the prevalence of such practices in the training data. A key question is whether developers can eliminate vulnerabilities using tooling, including old-style static analysis and newer AI-driven options. According to Checkmarx, they could but often do not. "The tools do the work, but organizations lack in translating this into process," the company reports. As Veracode has also reported, AI assistance is driving up the pace of development and security practices cannot keep up. The Checkmarx researchers state: "AI code volume correlates directly with vulnerable code deployment, which correlates directly with breach frequency." Specifically, "organizations where 81-100 percent of code is AI-generated ship vulnerable code at 3.4x the rate of those at 1-20 percent adoption" - a high price to pay for accelerated development. ®
[2]
Enterprises know AI-generated code is vulnerable; they're shipping it anyway
It's a dangerous game to play at the dawn of the agentic AI era, as underscored in a new report from app security company Checkmarx. The survey of thousands of security leaders exposes an underlying naivete about AI-built code and its vulnerabilities, even as tools like Anthropic's Mythos are uncovering security flaws orders of magnitude faster than any human security team could ever hope to. "Mythos-class models collapse the window between a vulnerability existing and a working exploit being available from months to minutes," the report notes. Enterprises relying on traditional security tools and methods, it says, "cannot survive this reality." Security as an afterthought Checkmarx's survey of 2,350 CISOs, AppSec managers, and developers across 14 countries focused on how much AI-developed code enterprises are deploying, the vulnerabilities it introduces, how it impacts developer workflows, and overall sentiment about AI code and security posture. Today, nearly half of production code is AI-generated, and the majority of enterprises also report that at least half their codebase is made up of open-source components, according to the report.
[3]
The AI coding boom is creating security headaches for organizations
* AI-generated code is growing faster than security oversight mechanisms * Manual reviews struggle to keep pace with machine-generated software * Security leaders fear insecure coding patterns spreading through development pipelines Artificial intelligence coding assistants have spread across development teams faster than security frameworks can adapt to. New Salt Security research has claimed 90% of security leaders now report active concerns about risks posed by AI-generated software. However, organizations continue embracing AI tools because they accelerate coding tasks, reduce time spent on repetitive work, and increase software delivery speed. Human review cannot handle AI speed Security leaders believe that development practices designed before AI became mainstream may no longer provide sufficient oversight. Nearly a third (29%) of respondents identified insecure coding patterns as the primary risk introduced by AI assistants. These systems learn from massive training datasets that contain their own flaws and outdated practices. An AI tool can generate code that appears fully functional while quietly reproducing vulnerabilities a human might have caught. This problem resembles how antivirus software must constantly update its definitions because new threats emerge faster than signature databases can grow. The difference here is that no central authority tracks every insecure pattern an AI might replicate - as despite the widespread anxiety that AI introduces, more than one-third of organisations still depend on manual code reviews before any launch. Reliance on human checking becomes structurally problematic when AI produces code at volumes no team can inspect thoroughly. That method worked when developers wrote software at human speed, but it fails when AI accelerates output dramatically. Reviewer fatigue sets in quickly, teams apply standards inconsistently, and security requirements get interpreted differently across departments. AI coding assistants are fundamentally changing how software is built, but governance has not kept pace," said Roey Eliyahu, CEO and co-founder at Salt Security. "Most organisations recognise the risks, but many are still trying to manage AI-generated code using security processes designed for a pre-AI world." This approach does not scale any better than using a single email inbox to handle millions of daily messages without filtering or automation. Enterprise complexity makes enforcement harder Larger organisations with more than 500 employees face governance challenges that smaller firms simply do not encounter. Distributed teams use different tools, follow varied workflows, and apply security standards with inconsistent rigour across regions. The risk of developer overreliance on AI assistants grows proportionally with team size and delivery pressure. Security agencies, including government cybersecurity bodies, have previously warned that AI systems expand attack surfaces and complicate accountability structures significantly. Without better visibility into where AI-generated code enters the pipeline, governance remains guesswork dressed up as process. Treating AI coding assistants as components of the software supply chain -- similar to vetting any third-party malware risk -- offers a more realistic path forward than hoping manual review will somehow catch up. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
Share
Copy Link
A Checkmarx survey of 2,350 developers and security leaders reveals 70% believe AI-generated code contains more security vulnerabilities than human-written code. Yet pressure to deploy quickly means 30% knowingly ship vulnerable code into production. With AI now accounting for nearly half of all production code, organizations face a critical gap between development speed and security oversight.
A stark reality is emerging across software development teams: AI-generated code is creating security vulnerabilities faster than organizations can address them. Research from application security company Checkmarx surveyed 2,350 global developers, CISOs, and AppSec managers, revealing that 70 percent believe AI-generated code contains significantly more security vulnerabilities compared to human-written code . Despite this awareness, 30 percent of developers knowingly ship vulnerable code into production, driven by relentless pressure to deploy quickly .

Source: TechRadar
The survey found that AI-generated code now accounts for approximately 49 percent of production applications, a slight decline from 54 percent reported last year but still representing nearly half of all code being written . Combined with the fact that 59 percent of production code comes from open source foundations, the software supply chain has become increasingly complex and vulnerable .
The consequences of deploying vulnerable AI-generated code are already materializing. A staggering 93 percent of survey respondents reported experiencing one or more security breaches as a result of vulnerable applications, though this represents a slight improvement from 98 percent the previous year . Checkmarx describes the situation bluntly: "Risk is normalized" .

Source: The Register
Separate research from Salt Security found that 90 percent of security leaders now express active concerns about security risks of AI-generated software
3
. Nearly one-third identified insecure coding patterns as the primary risk introduced by AI coding assistants3
. The root cause lies in flawed training data: AI systems learn from massive datasets containing their own vulnerabilities and outdated practices, then replicate these issues in newly generated code3
.Despite widespread recognition of these risks, more than one-third of organizations still depend on manual code reviews before launch
3
. This approach creates a fundamental mismatch: human reviewers cannot inspect code at the volume and speed that AI produces it. Roey Eliyahu, CEO of Salt Security, noted that "most organisations recognise the risks, but many are still trying to manage AI-generated code using security processes designed for a pre-AI world"3
.Checkmarx found a direct correlation between AI adoption and risk: organizations where 81 to 100 percent of code is AI-generated ship vulnerable code at 3.4 times the rate of those with only 1 to 20 percent AI adoption . The company states that while security tools exist and can perform the necessary analysis, "organizations lack in translating this into process" . AI assistance drives up development pace, but security practices and remediation efforts cannot keep up.
Related Stories
The timing of these security gaps proves particularly dangerous as tools like Anthropic's Mythos demonstrate the ability to uncover security flaws orders of magnitude faster than human security teams . According to Checkmarx, "Mythos-class models collapse the window between a vulnerability existing and a working exploit being available from months to minutes," warning that enterprises relying on traditional security methods "cannot survive this reality" .
Larger organizations with more than 500 employees face particularly acute governance challenges. Distributed teams use different tools, follow varied workflows, and apply security standards inconsistently across regions
3
. Research from the University of Central Florida and Birzeit University examining code security across different programming languages found that large language models "underutilize modern language and compiler features, often favoring outdated practices over more secure alternatives" due to the prevalence of such patterns in training data . Treating AI coding assistants as components of the software supply chain, similar to vetting third-party dependencies, offers a more realistic path forward than relying on manual review alone3
.Summarized by
Navi
[1]
05 Sept 2025•Technology

29 Jul 2025•Technology

07 Apr 2026•Technology

1
Policy and Regulation

2
Policy and Regulation

3
Policy and Regulation
