PROEVERYTHING & even more
Code Read the original on Devops 2 min read 0

AI-generated code and rising vulnerabilities strain DevSecOps

A global survey of over 2,300 industry professionals reveals that nearly half of all production code in 2025 is AI-generated. While organizations are rapidly integrating artificial intelligence into development workflows, they are simultaneously facing a surge in discovered vulnerabilities and significant security debt. The data highlights a growing tension between the speed of AI-assisted deployment and the rigorous enforcement of security protocols required to protect modern software infrastructures.

#DevSecOps #Artificial Intelligence #Cybersecurity #Software Development #Checkmarx
AI-generated code and rising vulnerabilities strain DevSecOps — ілюстрація до новини в рубриці «Код»
AI-generated code and rising vulnerabilities strain DevSecOps — ілюстрація до новини в рубриці «Код» · Image source: Devops

According to Devops, a comprehensive study conducted by CensusWide on behalf of Checkmarx indicates that 96% of developers and security managers now utilize artificial intelligence tools within their application development workflows. However, this rapid adoption is coinciding with a measurable decline in code integrity, as 49% of all production environment code was identified as AI-generated in 2025.

Rising vulnerability rates and developer workload

The transition to AI-assisted development has not been without complications. The survey reports that 70% of respondents are discovering more vulnerabilities than before, with 31% characterizing this increase as significant. This surge in security issues places a heavy burden on engineering teams; on average, developers now spend 49% of their weekly time addressing security-related problems.

Despite the availability of integrated development environment (IDE) guidance, which nearly all respondents deemed effective, only 18% of organizations consistently scan code as it is being written. This gap in real-time monitoring contributes to a broader culture of risk acceptance:

  • 93% of respondents acknowledged experiencing at least one security breach due to a vulnerable application developed by their organization.
  • 75% admitted to knowingly deploying vulnerable code on an frequent or occasional basis.
  • Nearly 95% of participants reported feeling pressure to prioritize or delay reporting compliance-related security issues.

The cost of prioritizing speed over security

When asked why vulnerable code is shipped, respondents cited a reliance on existing controls, the hope that flaws would remain undiscovered (30%), and the urgent need to meet business or feature deadlines (27%). Jonathan Rende, chief product officer for Checkmarx, noted that many teams are being set up to fail due to an overemphasis on rapid feature delivery. He warned that as frontier AI models make it easier to create malware, the lack of rigorous DevSecOps practices becomes a critical liability.

The data suggests a significant gap between perceived and actual security maturity. While 73% of respondents rate their organization's security posture as highly mature or advanced, nearly half of those with such ratings experienced three or more breaches in the last 12 months. Furthermore, only 9% of organizations report fixing more than 90% of vulnerabilities within a 90-day window. This suggests that technical security debt is accumulating at an accelerated pace as AI tools further compress development timelines.

FAQ

How much time do developers spend on security issues?
On average, developers now spend 49% of their weekly time addressing security-related problems. This surge in security issues places a heavy burden on engineering teams as organizations struggle with rising vulnerability rates and significant security debt.
What percentage of organizations consistently scan code during development?
Only 18% of organizations consistently scan code as it is being written. Despite nearly all respondents deeming integrated development environment (IDE) guidance effective, this gap in real-time monitoring contributes to a broader culture of risk acceptance.
Why do companies ship vulnerable code?
Respondents cited reliance on existing controls and the hope that flaws would remain undiscovered by 30%, while 27% attributed it to the urgent need to meet business or feature deadlines.
Telegram

Fresh news on our Telegram

Get instant alerts for new posts in «Code»

@procodeandevenmore