New research shows 81 percent of organizations knowingly ship vulnerable code, and 98 percent experienced a breach stemming from vulnerable code in the past year, that’s a sharp rise from 91 percent in 2024.
The survey from Checkmarx, of more than 1,500 CISOs, AppSec managers and developers around the world, also shows that AI‑generated code is becoming mainstream, but governance is lagging.
Half of respondents already use AI security code assistants and 34 percent admit that more than 60 percent of their code is AI‑generated. Yet only 18 percent have policies governing this use. The growing adoption of AI coding assistants is therefore eroding developer ownership and expanding the attack surface.
Within the next 12 to 18 months, 32 percent of respondents expect to see Application Programming Interface (API) breaches via shadow APIs or business logic attacks. Despite these realities, fewer than half of the respondents report deploying foundational security tools, such as dynamic application security testing (DAST) or infrastructure‑as‑code scanning. While DevSecOps is widely discussed industry-wide, only half of organizations surveyed actively use core tools and just 51 percent of North American organizations report adopting DevSecOps.
“The velocity of AI‑assisted development means security can no longer be a bolt‑on practice. It has to be embedded from code to cloud,” says Eran Kinsbruner, vice president of portfolio marketing. “Our research shows that developers are already letting AI write much of their code, yet most organizations lack governance around these tools. Combine that with the fact that 81 percent knowingly ship vulnerable code and you have a perfect storm. It’s only a matter of time before a crisis is at hand.”
In order to close the application security readiness gap the report recommends moving from awareness to action, embedding ‘code‑to‑cloud’ security, governing AI use in development, operationalizing security tools, preparing for agentic AI in AppSec, and cultivating a culture of developer empowerment.
Kinsbruner adds, “To stay ahead, organizations must operationalize security tooling that is focused on prevention. They need to establish policies for AI usage and invest in agentic AI that can automatically analyze and fix issues real-time. AI generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years.”
You can get the full report from the Checkmarx site.
Image credit: YAYImages/depositphotos.com
