How To Secure Software In The GenAI Coding Era
Chris Wysopal is Founder and Chief Security Evangelist at Veracode.
Generative artificial intelligence (GenAI) has very quickly established a foothold among code developers as an essential tool in their workflow. Developers have shifted from the traditional code reuse model to generating new code snippets by prompting GenAI, leading to a significant change in software development dynamics. It's easy to see why, as the merits are well-documented. GenAI-driven generation of code comes with an unquestioned productivity boost.
Research from Microsoft has shown that developers using GenAI were able to complete 26% more tasks on average, increase the number of code commits by 13.5% and increase builds by 38.4%. In the competitive marketplace where every company and developer is looking for an edge, these numbers reinforce the obvious: The GenAI co-generation era is here to stay.
The productivity boost from GenAI is clear, but it creates tension with the industry's increasing push to secure coding and software security.
Traditionally, developers wrote code over an extended period of time—weeks or even months—then tested it for vulnerabilities before production deployment. That approach changed with DevOps, which emphasized writing, testing and deploying smaller chunks of code in rapid cycles. To address security concerns in this agile environment, the DevSecOps movement emerged, embedding security testing tools directly into the development pipeline.
Now, AI-driven code generation has further accelerated this cycle. While code reuse decreases and code velocity increases in this new paradigm, vulnerability density remains consistent because the large language models (LLMs) that developers are using are often trained on open-source datasets rife with existing security flaws. With far more output at the same vulnerability density, faster code production leads to a proportional increase in vulnerabilities.
Recent studies back up these concerns. New York University researchers found that 40% of code produced by Microsoft's Copilot AI contained known security vulnerabilities, while a similar study from Wuhan University found security weaknesses in 30% of Python and 24% of JavaScript Copilot-generated code snippets. Despite this, developers often perceive AI-generated code to be more secure than it is. Stanford University found that developers using LLMs were more likely to write insecure code while being overly confident about its security.
To fully leverage AI-assisted development, the first step is to approach code co-generation with open eyes. Organizations must acknowledge and actively counter the human biases that lead to overconfidence in AI-generated content. The data says that LLMs are fallible and likely to introduce just as many (if not more) security flaws as their human counterparts, but it's up to the developers to heed that important warning.
Developers must also understand that the quality of AI-generated code is only as good as the dataset on which it was trained. If the training data includes vulnerable open-source code, those vulnerabilities will likely surface in the generated output. Using curated datasets known to include more secure code and incorporating security considerations into any GenAI prompts are important steps that will help developers ensure a foundation of secure AI co-generation.
The increased velocity of vulnerability introduction has already gone beyond what human remediation can handle. Veracode's State of Software Security Report (SoSS) found that only 20% of applications achieve a monthly fix rate exceeding 10% of identified flaws. Persistent high-severity vulnerabilities, or "security debt" (i.e., security flaws in code that are unfixed for more than one year), continue to accumulate as a result. As that debt adds up, it leads to more compliance risks, security alerts and quality issues.
The only way to keep pace is to fight fire with fire in the form of AI-assisted remediation tools. These solutions offer a way to address security issues without expanding development teams or diverting their focus from core objectives. As GenAI reshapes software development, security automation will become increasingly essential. From vulnerability detection to automated fixes, integrating AI into the security pipeline will ensure a balance between speed and security.
Developers will use GenAI as part of the software development process moving forward. The industry is simply too competitive to leave that bump in productivity on the table. But companies need to take a realistic approach, which means a complete reevaluation of security practices to address the risks inherent in AI-generated code.
By automating security processes and leveraging AI-powered remediation tools, developers can harness the full potential of GenAI while maintaining robust security standards. The era of GenAI demands faster code development and smarter, AI-driven security measures to ensure that the threat of vulnerability proliferation is kept in check.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
an hour ago
- Yahoo
What the Tech: Chat GPT or something else
You've probably used Chat GPT for any number of things, but it isn't the only AI game in town. Three other major AI platforms are receiving a lot of attention. Chat GPT, Google Gemini, Microsoft CoPilot, and Perplexity are comparable in many ways, but does one stand out from the others? To find out, I put them all to the test, asking the same questions. What I found is they're all good at what they do, but some are better at certain jobs. ChatGPT has become a household name, and for good reason. It's great for content creation, brainstorming, and generating ideas in a friendly, natural tone. For instance, when asked for birthday party ideas for a 10-year-old, ChatGPT delivered creative and detailed responses. It also shines for planning vacations, finding restaurants, and coming up with gift ideas. Perplexity has rapidly shifted the AI space, and even the free version has some of the best tools for finding answers. I think of Perplexity as 'Google on steroids'. It focuses on real-time web searches with clear citations. If you're doing research on a topic or drafting an outline for a paper or report, Perplexity generates responses that include clickable links to the sources it uses. When I asked about the latest statistics on electric vehicle sales in the U.S., Perplexity delivered accurate information with verifiable sources, a feature not consistently offered by other platforms. Google's Gemini is deeply integrated into the Google ecosystem, making it ideal for users who use Google products. Gemini can summarize lengthy email threads, draft replies, and locate files within Google Drive. Its seamless integration with Gmail and Google Docs streamlines workflow for those committed to the Google suite. Google also just introduced new features to Gemini, including what is perhaps the best video and photo generator in the AI world. Some of those tools aren't available for users of the free version. For Microsoft Office power users, CoPilot is a game-changer. This AI assistant can analyze spreadsheets, summarize Excel documents, and even suggest slide titles and content for PowerPoint presentations. CoPilot provides charts and insights, acting like a virtual coworker whose specialty is everything Microsoft. So, which AI tool is the best? The answer depends on your specific needs. ChatGPT shines in content creation and general use. Perplexity is best for web searches with citations, Gemini is perfect for Google product users, and CoPilot is the best tool for those working extensively with Microsoft Office. One AI platform does not check all of the boxes at the moment. Use them all. And if you're considering a subscription to any of them (typically $20 per month), this may help you decide which one is worth it. Copyright 2025 Nexstar Media, Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Business Insider
4 hours ago
- Business Insider
Microsoft-Backed OpenAI (MSFT) Now Has Three Million Paying Business Users
Earlier today, Microsoft-backed OpenAI (MSFT) announced that it now has 3 million paying business users, which is a major increase from the 2 million it reported in February. These users come from ChatGPT Enterprise, ChatGPT Team, and ChatGPT Edu. The company first gained popularity in 2022 with its consumer AI chatbot and has since expanded into business-focused tools. Interestingly, OpenAI currently supports around 400 million weekly active users and expects to generate $12.7 billion in revenue this year, a big leap from last year's $3.7 billion revenue projection and estimated $5 billion loss. Confident Investing Starts Here: Furthermore, OpenAI says that its tools are being widely adopted, even in tightly regulated sectors like finance and healthcare. The company also just added new features to its business plans, such as 'connectors,' which let users pull data from services like Google Drive, Dropbox, SharePoint, and others, all within ChatGPT. In addition, a new 'record mode' lets users record and transcribe meetings, with plans to turn recordings into documents using a tool called Canvas. Interestingly, Brad Lightcap, OpenAI's COO, said businesses want ChatGPT to feel like an active helper, not a tool that is hidden away. As a result, the new features aim to make ChatGPT more useful in daily work by integrating it with the apps and documents people already use. This has led to OpenAI now signing nine new enterprise customers each week, and Lightcap believes these tools are becoming a standard part of how knowledge workers get things done. Is MSFT Stock a Buy? Although you cannot directly invest in OpenAI, you can buy shares of Microsoft, which has a 49% stake in OpenAI. And according to analysts, Microsoft stock has a Strong Buy consensus rating among 35 Wall Street analysts. That rating is based on 30 Buys and five Holds assigned in the last three months. Furthermore, the average MSFT price target of $514.07 implies 10.7% upside potential.
Yahoo
6 hours ago
- Yahoo
Apple WWDC 2025: What to expect
Apple's 2025 Worldwide Developers Conference kicks off on Monday, June 9. The expectations are a bit muted this year, given the big AI announcements that came last year. In the video above, Yahoo Finance Tech Editor Dan Howley shares what he will be watching from the big Apple (AAPL) event. To watch more expert insights and analysis on the latest market action, check out more Market Domination here. We're going to stick with Apple here cuz it is kicking off its worldwide developers conference on Monday. Pivotal moment for Apple, as it competes in the AI race. From our Yahoo! Finance tech editor, Dan Howley. Dan, of course, this is the show where they get up there, it's Tim Cook, it's Craig Federighi himself, and you're talking to millions of developers. You're trying to convince them, "Hey, you wanna build in the Apple ecosystem." Yeah, I mean, and that's generally what they do. I think this year, the expectations are more subdued than in prior years. Just because last year, they had their huge AI rollout. That hasn't been going so hot for them. Siri, obviously, was put on the back burner. Now we're waiting to see when that's able to come out. So, we're still gonna get some good announcements this year, but not necessarily the big wowee that, you know, we got last year. For this year to just kind of prove what they're able to do in the AI race, they have to just show that they can compete. That they aren't an also-ran anymore. Obviously we have Google, they had their IO developer conference, Microsoft, they had their build developer conference, both of them rolling out these big AI functions that are getting consumers and enterprises excited. What does Apple have there? They also just give us an idea when Siri's coming, man! Like, I know they said later this year, sometime this year, but this was really the marquee piece of WWDC 2024. They showed off some of the great examples of how this could be used. One of them was, you know, say your mom's landing, flights landing, when should you leave or when do you expect the flight to land? Well, you'll ask Siri, it'll go into your email, your messages, find out what time the flight was expected to land, and then cross-reference that with flight tracking information, and say, "Okay, the flight's expected to land, blank." That's That sounds great! Sounds awesome. Not there yet. So we're gonna have to see where that is. By the way, that's the idea of agentic AI, and that's kind of where, you know, Microsoft's heading, where Google's heading. We have to see if Apple's able to do that. And then the other thing is, are they making their AI worthwhile for developers to build on? Now, there's been reports from Bloomberg's Mark Gurman, basically saying that they're going to open up some of their own language models, their smaller language models that they use on device developers so that they'll be able to then build on Apple's own language models. We'll see if that ends up kind of goosing any kind of new type of app capability. You know, the idea here is, think about what happened with the App Store. They opened up the App Store, we have a whole ecosystem of products now, right? I mean, Ubers, you're not taking Ubers without the App Store, right? Not saying that that's going to be on this level, but that's the idea. Is you open it up to developers and then they just start to go wild, and perhaps that really starts to send Apple's AI capabilities, you know, out into outer space, right? So, that's the idea there. Everything kicks off on June 9th, and it'll be at their headquarters. I'll be there. Awesome. It's a great look, by the way. Sign in to access your portfolio
