DEVOPS
Pressure to deploy wins out over security as four in five orgs confess to breaches from vulnerable apps
Research by AppSec biz Checkmarx finds that 70 percent of developers believe AI-generated code has more vulnerabilities, and 30 percent knowingly ship vulnerable code into production.
The report is based on responses from 2,350 global developers, CISOs, and AppSec managers, and follows similar annual surveys since 2023. The number of respondents is 54 percent higher this year than last, and the increased sample size may account for a somewhat surprising statistic: the reported proportion of AI-generated production code has slightly declined, from 54 percent to 49 percent, though this is still a high figure.
Production applications are also built on an open source foundation, according to the report, accounting for 59 percent of the code. These are self-reported estimates, but a lot of open source code is buried in node_modules or other library locations and it is not always secure, whether because of hard-pressed maintainers struggling to keep up with AI-discovered vulnerabilities, or malicious packages smuggled into popular package repositories such as npm and PyPI.
The consequence is that software development is riskier than ever, with issues extending beyond vulnerable code to credential-stealing malware, yet the Checkmarx survey appears to show resignation, with 93 percent of respondents reporting one or more security breaches as a result of vulnerable applications – though last year the figure was 98 percent. Reasons given include pressure to deploy quickly, vulnerabilities being too difficult to fix, and reliance on other controls to pick up the pieces.
“Risk is normalized,” says Checkmarx in its report.
The security of AI-generated code is a hot topic, particularly since, among these respondents, it accounts for around 50 percent of what is written. 70 percent report “significantly more vulnerabilities with AI-generated code,” suggesting that AI is even worse than humans when it comes to overlooking security issues.
It is a complex situation. AI is trained on existing code, primarily public code, which has its share of vulnerabilities that may then be replicated. The AI wave has also delivered new tools for analyzing and remediating vulnerabilities.
A study last year by computer scientists from the University of Central Florida and Birzeit University in Palestine looked at how code security varied between different programming languages (Java, Python, C, and C++) and LLMs, and which vulnerabilities are most prevalent. The findings showed significant variations, with C code tending to have the most security issues, and Python the fewest, though the researchers acknowledge that LLMs are evolving rapidly and that the research is a “time-stamped view.” One of the issues is that LLMs “underutilize modern language and compiler features, often favoring outdated practices over more secure alternatives.” The likely reason is the prevalence of such practices in the training data.
A key question is whether developers can eliminate vulnerabilities using tooling, including old-style static analysis and newer AI-driven options. According to Checkmarx, they could but often do not.
“The tools do the work, but organizations lack in translating this into process,” the company reports. As Veracode has also reported, AI assistance is driving up the pace of development and security practices cannot keep up.
The Checkmarx researchers state: “AI code volume correlates directly with vulnerable code deployment, which correlates directly with breach frequency.” Specifically, “organizations where 81-100 percent of code is AI-generated ship vulnerable code at 3.4x the rate of those at 1-20 percent adoption” – a high price to pay for accelerated development. ®