A shocking amount of companies are knowingly shipping insecure code - and it might be hard to recover

News
By published

81% of companies knowingly ship vulnerable code, report warns

Female Programmer Coding on Desktop Computer With Six Displays in Dark Office
(Image credit: Shutterstock)
  • Four in five companies knowingly ship vulnerable code, survey warns
  • One-third say 60% of their code is now AI-generated
  • Orgs need to use AI to identify vulnerabilities

A study of 1,500 CISOs, AppSec Managers and developers conducted by Checkmarx has claimed four in five (81%) companies knowingly ship vulnerable code, putting them and their users at risk of attack.

An estimated one in two respondents already use AI security code assistance, with around one-third (34%) admitting that more than 60% of their code is AI-generated – which can often contain known vulnerabilities by default.

An overwhelming majority (98%) have experienced a breach due to vulnerable code in the past year, and yet they continue to ship vulnerable code without implementing the right protective measures.

Companies are shipping vulnerable, AI-generated code

The report outlines how generative AI has now eroded developer ownership with code less likely to be affiliated with any particular individuals. It has also expanded the attack surface by reopening vulnerabilities that could previously have been avoided with proper coding expertise.

The trend has largely been blamed on artificial intelligence, with vibe coding on the rise and many developers now opting to edit AI-generated code rather than write their own from the ground up.

The lack of governance around this has created what the company describes as the perfect storm.

Fewer than half of the respondents were found to be using foundational security tools like DAST and IaC scanning, with a similar number using DevSecOps tools.

Looking ahead, Checkmarx stresses security should be built into projects right from coding level, with organizations urged to establish policies for AI tool usage. Acknowledging that developers are now actively using AI, Checkmarx suggests that, instead of banning it, companies should also utilize agentic AI to analyze and fix issues across projects.

"AI generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years," Checkmarx VP of Portfolio Marketing Eran Kinsbruner concluded.

You might also like

TOPICS
Craig Hale
Craig Hale

With several years’ experience freelancing in tech and automotive circles, Craig’s specific interests lie in technology that is designed to better our lives, including AI and ML, productivity aids, and smart fitness. He is also passionate about cars and the decarbonisation of personal transportation. As an avid bargain-hunter, you can be sure that any deal Craig finds is top value!

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.