Survey: Cybersecurity Leaders Much More Concerned About AI Generated Code
A survey of 400 cybersecurity leaders in the U.S. and United Kingdom published today finds all respondents reporting that AI tools are now generating code in their organization’s code base, with just under a third now seeing those tools being used to generate most of the code being created.
Commissioned by Cycode, a provider of an application security platform, the survey also finds nearly two-thirds of respondents (65%) have seen an increased number of vulnerabilities in their code base following the adoption of these tools.
A full 81% also concede that they lack visibility into how AI is being used across application development workflows. Well over half of respondents identified vulnerabilities generated by AI code, AI tool usage and software supply chain risks as their top concerns.
Amir Kazemi, director of product marketing for Cycode, said the survey makes it clear that AI generated code is creating a significant blind spot even though 66% of respondents said application security is the top mandate for their teams. The challenge is that tool sprawl coupled with shadow IT adoption of AI tools is moving faster than application security teams can effectively manage, he added.
Overall, survey respondents said it’s clear AI increases productivity (78%), code quality (79%), and enables faster times to market (72%), but only slightly more than half (52%) have any type of centralized governance framework for adopting AI.
On the plus side, key performance indicators (KPIs) being tracked are reducing vulnerabilities in production environments and adoption of best application security practices by developers both at 67%, followed closely by, faster time to remediation (65%).
All respondents also said their organizations plan to invest more of their budget in AI-related security initiatives in the next 12 months. A full 97% said their organization also plans to unify their application security stack in the next 12 months.
The survey also suggests that many of these initiatives are being driven by a deeper integration of application security teams within the teams leading product development. In fact, the survey finds 56% of respondents noted that product security teams have already assumed responsibility for regulatory and compliance issues. It’s now more a matter of time before those teams also assume more responsibility for application security, said Kazemi.
It’s not clear to what degree security teams might ever be able to keep pace with AI-generated code relying on existing tools and workflows. Ultimately, application security teams will need to rely more on AI to validate code being generated by coding tools. The challenge is that between now and when those tools and processes are in place, the amount of technical debt in the form of vulnerabilities that are becoming easier to exploit is only going to increase.
As it becomes increasingly apparent there are now more application security issues than ever, it’s probable more organizations will make adopting best DevSecOps practices a much higher priority. In the meantime, however, it’s now all but certain application security will get worse before it, hopefully, gets better with some help from AI.
