- Four in five companies knowingly ship vulnerable code, survey warns
- One-third say 60% of their code is now AI-generated
- Orgs need to use AI to identify vulnerabilities
A study of 1,500 CISOs, AppSec Managers and developers conducted by Checkmarx has claimed four in five (81%) companies knowingly ship vulnerable code, putting them and their users at risk of attack.
An estimated one in two respondents already use AI security code assistance, with around one-third (34%) admitting that more than 60% of their code is AI-generated – which can often contain known vulnerabilities by default.
An overwhelming majority (98%) have experienced a breach due to vulnerable code in the past year, and yet they continue to ship vulnerable code without implementing the right protective measures.
Companies are shipping vulnerable, AI-generated code
The report outlines how generative AI has now eroded developer ownership with code less likely to be affiliated with any particular individuals. It has also expanded the attack surface by reopening vulnerabilities that could previously have been avoided with proper coding expertise.
The trend has largely been blamed on artificial intelligence, with vibe coding on the rise and many developers now opting to edit AI-generated code rather than write their own from the ground up.
The lack of governance around this has created what the company describes as the perfect storm.
Fewer than half of the respondents were found to be using foundational security tools like DAST and IaC scanning, with a similar number using DevSecOps tools.
Looking ahead, Checkmarx stresses security should be built into projects right from coding level, with organizations urged to establish policies for AI tool usage. Acknowledging that developers are now actively using AI, Checkmarx suggests that, instead of banning it, companies should also utilize agentic AI to analyze and fix issues across projects.
“AI generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years,” Checkmarx VP of Portfolio Marketing Eran Kinsbruner concluded.
