AI-generated code is outpacing every manual remediation model in existence': Nearly all firms admit they have shipped code they know is vulnerable

News
By published

Are vibe-coded apps a security nightmare?

Computer programming code. Programming code abstract technology background of software developer and Computer script.
(Image credit: Shutterstock/BEST-BACKGROUNDS)
  • Checkmarx research found 75% of organizations knowingly ship vulnerable code
  • The time‑to‑exploit window is expected to shrink to just one minute, raising urgent risks for some sectors
  • Vibe‑coded apps built entirely via AI chat are compounding exposure

Artificial Intelligence (AI) has made it unaffordable for organizations to ship code they already know is vulnerable, but they seem to be doing so anyway, new research has claimed.

Security experts Checkmarx found shipping vulnerable code became “standard operating behavior”, with 75% of organizations admitting they often or sometimes deploy code they already know is vulnerable.

It is hinted in the announcement that companies were making somewhat calculated risks: less than a decade ago (in 2018), the average time to exploit a software vulnerability was 840 days. That was more than enough time to ship a product, get it running, and then sort out the kinks along the way.

Latest Videos From

AI ex machina

However, AI tools have completely flipped the script - with the report arguing today, it takes less than two days to exploit a vulnerability, and that in less than two years, the time-to-exploit window will shrink even further, down to just one minute.

Checkmarx says this warning will be “particularly relevant” for healthcare, given the fact that hospitals and health systems are already facing escalating ransomware attacks, third-party software risk, and growing regulatory pressure, especially in the aftermath of the Change Healthcare incident.

Vibe-coded apps (solutions built entirely by chatting with an AI, without manual review of the code) will only compound the problem, it seems. Recent Wired research suggested that plenty of vibe-coded web apps were being pushed live with “weak or nonexistent auth, exposed data, and basic security flaws.”

The report, which was released earlier this month, claims that the researchers found more than 5,000 apps that were exposing corporate or personal data on the open web. It included medical data, financial information, internal corporate data, as well as customer chats.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.