What's Happening?
A recent study by Checkmarx has found that 81% of organizations knowingly ship vulnerable code, with AI-generated code becoming increasingly mainstream. The study surveyed 1500 CISOs, AppSec managers, and developers, revealing that half of the respondents already use AI security code assistances, and 34% admitted that more than 60% of their code is AI-generated. Despite the widespread use of AI-generated code, it often contains known vulnerabilities by default. The study highlighted that 98% of respondents experienced a breach stemming from vulnerable code in the past year, a significant increase from 91% in 2024. The growing adoption of AI coding assistants is eroding developer ownership and expanding the attack surface, with 32% of respondents expecting API breaches via shadow APIs or business logic attacks within the next 12 to 18 months.
Why It's Important?
The findings underscore the urgent need for improved security governance as AI-generated code becomes more prevalent. Organizations face increased risks of breaches due to vulnerable code, which can have significant implications for industries reliant on secure software. The lack of foundational security tools and governance around AI usage poses a threat to the integrity of software development processes. As AI-assisted development accelerates, embedding security from code to cloud is crucial to prevent potential crises. The study suggests that secure software will be a competitive differentiator in the coming years, highlighting the importance of operationalizing security tooling focused on prevention.
What's Next?
Checkmarx encourages organizations to establish policies for AI usage and operationalize security tooling to address the vulnerabilities identified in the report. The application security firm has announced the general availability of its Developer Assist agent, with extensions to top AI-native Integrated Development Environments (IDE) including Windsurf by Cognition, Cursor, and GitHub Copilot. As AI-generated code continues to proliferate, organizations may need to prioritize secure software development practices to maintain competitiveness and prevent breaches.
