theregister.com via Reddit

Checkmarx: 30% of Devs Ship Known-Vulnerable AI Code

cybersecurity coding tools cybersecurity coding-tools

Key insights

  • Organizations where 81-100% of production code is AI-generated ship vulnerable code at 3.4x the rate of those at 1-20% AI adoption.
  • 93% of surveyed organizations reported at least one security breach attributed to a vulnerable application.
  • Developers knowingly deploy flawed AI code citing speed pressure, fix difficulty, and reliance on downstream security controls.

Why this matters

The 3.4x breach rate differential between high- and low-AI-adoption organizations converts what has been a theoretical concern into a quantified liability curve, giving security and engineering leaders a concrete metric to take to the board. With 49% of production code now AI-generated across surveyed organizations, the AppSec gap is not a future problem: 93% of those organizations have already experienced a breach. Technical leaders evaluating AI coding tools now have data that reframes the central question from whether AI code quality is acceptable to whether their security processes can scale at the rate AI output is growing.

Summary

Checkmarx surveyed 2,350 developers, CISOs, and AppSec managers globally and found a sharp paradox: 70% believe AI-generated code holds more vulnerabilities than human-written code, yet 30% knowingly push it to production anyway. Speed pressure is the driver. Developers cite tight deployment timelines, vulnerabilities too difficult to fix, and a bet that downstream controls will catch problems later. Checkmarx names the outcome plainly: "Risk is normalized." Essentially: (Checkmarx) finds AI adoption and breach rates scale in lockstep. - 93% of surveyed organizations reported at least one security breach from a vulnerable application - Organizations at 81-100% AI code adoption ship vulnerable code at 3.4x the rate of those at 1-20% adoption - 49% of production code is now AI-generated, down from 54% in an earlier measurement The report states the causal chain directly: AI code volume correlates with vulnerable code deployment, which correlates with breach frequency.

Potential risks and opportunities

Risks

  • Organizations already at 81-100% AI code adoption face breach rates 3.4x higher than low-adoption peers; scaling AI use further without closing the AppSec process gap will compound that differential before controls catch up
  • The 'reliance on downstream controls' rationalization cited by developers creates a systematic blind spot: if those downstream controls miss a class of AI-introduced vulnerability, it ships undetected across the full pipeline at scale
  • Regulators and cyber insurers gaining access to the Checkmarx breach-rate data could trigger mandatory AppSec audits or premium repricing for high-AI-adoption organizations before those organizations have updated their processes

Opportunities

  • AppSec vendors with AI-specific scanning capabilities -- Checkmarx itself, plus competitors like Snyk and Semgrep -- are positioned to close sales at the 93% of surveyed organizations that already experienced a breach, using the breach-rate data as the lead argument
  • Organizations that can demonstrate lower breach rates at high AI code adoption levels gain a differentiated security posture that becomes a competitive advantage and a direct input into favorable cyber insurance pricing
  • Automated remediation tooling vendors can target the two root causes Checkmarx identifies -- vulnerabilities too difficult to fix and speed pressure -- with products that reduce the friction of fixing flaws before deployment rather than detecting them afterward

What we don't know yet

  • Whether the 30% of developers shipping known-vulnerable code are concentrated in specific industries, company sizes, or geographies -- the survey covers 2,350 global respondents but the article does not segment breach rates by sector
  • What accounts for the drop in AI-generated production code from 54% to 49% -- the article notes the change but gives no explanation for whether it reflects deliberate security pullback, methodology differences, or market shifts
  • Which specific vulnerability classes are most prevalent in AI-generated code versus human-written code -- the report quantifies breach rates but does not identify the underlying flaw taxonomy driving the gap

Originally reported by theregister.com

Read the original article →

Original headline: Checkmarx Survey: 30% of Developers Knowingly Deploy Vulnerable AI-Generated Code to Production — Orgs at 81–100% AI Adoption Breach at 3.4× the Rate