AI-generated code raises security risks as governance lags
The report, which surveyed over 1,500 Chief Information Security Officers (CISOs), application security managers and developers across North America, Europe, and Asia-Pacific, reveals that AI-generated code now constitutes a substantial proportion of software development across organisations worldwide. According to the findings, over half of respondents already use AI coding assistants, and 34% report that more than 60% of their code is generated using such tools.
Despite the rapid adoption of generative AI in coding, the survey found that only 18% of organisations have formal policies in place governing the use of AI coding assistants. This points to a significant gap between technological uptake and the establishment of necessary governance frameworks to manage resulting risks.
Vulnerable code and breach rates
The research also highlights that risky development practices, particularly under business pressure, are becoming increasingly normalised. The report states that 81% of organisations knowingly ship vulnerable code. Furthermore, 98% of organisations surveyed experienced a security breach linked to vulnerable code in the past 12 months. This marks a notable rise compared to 91% reporting breaches for the previous year.
Looking ahead, nearly a third (32%) of respondents expect breaches via APIs, including through shadow APIs or business logic attacks, within the next 12 to 18 months. Despite these heightened risks, the report found that fewer than half of respondents regularly deploy core security tools such as dynamic application security testing (DAST) or infrastructure-as-code scanning.
DevSecOps, although widely discussed in the industry, is not yet universally adopted. The survey revealed that only half of the organisations use essential DevSecOps tools, and the figure in North America stands at just 51%.
AI impacts developer roles and security practices "The velocity of AI‐assisted development means security can no longer be a bolt‐on practice. It has to be embedded from code to cloud," said Eran Kinsbruner, Vice President of Portfolio Marketing. "Our research shows that developers are already letting AI write much of their code, yet most organizations lack governance around these tools. Combine that with the fact that 81% knowingly ship vulnerable code and you have a perfect storm. It's only a matter of time before a crisis is at hand."
The report argues that the use of AI coding assistants is not only expediting software creation but also eroding traditional developer ownership and broadening organisations' attack surfaces.
Checkmarx's report proposes six strategic imperatives aimed at addressing these security challenges: shifting from awareness to action, embedding security from code to cloud, establishing guidance for AI use, operationalising security tools, preparing for agentic AI in security, and developing a culture that empowers developers.
Kinsbruner added: "To stay ahead, organizations must operationalize security tooling that is focused on prevention. They need to establish policies for AI usage and invest in agentic AI that can automatically analyze and fix issues real-time. AI generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years."
Regional perspectives
The report points out regional differences in risk exposure and practices. Chris Ledingham, Director Northern Europe, commented: "Our research found that nearly one third, 32%, of European respondents say their organization often deploys code with known vulnerabilities, compared with 24% of those in North America. This suggests the need for a stronger focus across our region on embedding security into development. With AI now writing much of the code base, security leaders face heightened accountability. Boards and regulators will rightly expect CISOs to implement robust governance for AI generated code and to ensure vulnerable software isn't being pushed to production."
Security tooling
The report's publication coincides with Checkmarx's introduction of its Developer Assist agent, which integrates with AI-native integrated development environments (IDEs) like Windsurf by Cognition, Cursor, and GitHub Copilot. The tool is intended to deliver real-time, context-sensitive security guidance to developers for the prevention of vulnerabilities at the coding stage.
The full report, "Future of Application Security in the Era of AI," covers in further detail the findings on how organisations are managing the evolving risks posed by AI-enabled software development.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
18 hours ago
- Techday NZ
Blackpearl opens retail offer after AUD $10.3m raise & US deal
Blackpearl Group has opened its retail entitlement offer at AUD $0.95 per share, following a AUD $10.3 million institutional raise led by Australian cornerstone investors ahead of its proposed listing on the Australian Securities Exchange as a foreign-exempt entity. The retail component of the entitlement offer allows eligible shareholders to participate following the completion of the offer's institutional stage, which has attracted backing from prominent Australian institutional investors. This development comes as the company finalises its acquisition of US-based AI sales automation firm B2B Rocket, a transaction expected to raise Blackpearl's annual recurring revenue (ARR) to USD $17.5 million and set the direction towards a USD $50 million target. Australian support The institutional element of Blackpearl's accelerated non-renounceable entitlement offer (ANREO) and additional placement successfully raised AUD $10.3 million. The support from Australian investors is crucial as Blackpearl progresses its application for an ASX foreign-exempt listing, a move intended to broaden its investor base and reinforce its presence in the world's largest market for small and medium businesses. Chief Executive Officer Nick Lissette said the offer aligned with the company's broader ambitions: Blackpearl isn't in the habit of standing still. Investor demand has been clear and with Australian cornerstone support in place and our ASX pathway progressing, we're opening the retail window for eligible shareholders today. This is a rare moment - a New Zealand AI company acquiring a cutting-edge high growth US technology business, backed by Australian institutions and preparing for an ASX quotation. The raise materially broadens our investor base and strengthens our platform to scale in the world's largest SMB market. Lissette stated that the opening of the retail offer reflects a significant step in Blackpearl's expansion strategy. The offer opened to eligible shareholders on Monday 18 August and will close on 25 August, giving participants the opportunity to subscribe at AUD $0.95 per share. Oversubscriptions will be permitted for those who fully take up their entitlement. Acquisition and growth targets Blackpearl's pending acquisition of B2B Rocket, an AI sales automation business based in the United States, is expected to close this week. The company projects that this acquisition will lift ARR to USD $17.5 million, with momentum towards USD $20 million as it maintains a long-term target of USD $50 million. Lissette added: We're not inching forward, we're leaping. With B2B Rocket closing this week, we're in striking distance of $20m and so we're now focused on our $50m target. This is the growth story NZ tech needs right now. It's proof that Kiwi innovation can scale - and compete - anywhere and signals that NZ Tech belongs in the big leagues globally and has what it takes to deliver. Next steps for listing Blackpearl targets its ASX quotation in approximately three months, contingent on the successful completion of a Tier 1 standard audit of B2B Rocket. The company sees institutional support from Australia as pivotal in this phase. Lissette stated: Australian institutional backing gives us more than capital; it gives us confidence and credibility as we scale. Use of proceeds Proceeds from the entitlement offer will be used to fund the B2B Rocket acquisition, support the scaling of Bebop's growth, integrate B2B Rocket and execute its go-to-market plan, enhance Blackpearl's Data Wholesale resources, and maintain a cash buffer for working capital purposes. Lissette summarised the company's outlook: We're not just building a bigger business, we're building a bigger playing field. This particular combination of capital, capability and opportunity doesn't come around often and we intend to use it to take New Zealand AI global. Follow us on: Share on:
Techday NZ
19 hours ago
- Techday NZ
Accenture to acquire CyberCX, strengthening Asia Pacific security
Accenture has reached an agreement to acquire CyberCX in a move that will expand its cybersecurity operations across the Asia Pacific region. CyberCX, headquartered in Melbourne, Australia, is recognised for providing cybersecurity services to both private and public sector entities throughout Australia, New Zealand, and international markets. With a workforce of approximately 1,400 professionals, the company brings expertise spanning consulting, transformation, managed security services, offensive and cyber physical security, crisis management, threat intelligence, managed detection and response, and strategic advisory, as well as identity, cloud, and network security. The acquisition of CyberCX marks the largest cybersecurity purchase in Accenture's history and aims to strengthen its position in Asia Pacific, a region facing increasingly complex regulatory and cybersecurity challenges. CyberCX operates multiple security operations centres across Australia and New Zealand and maintains additional offices in London and New York, which enables it to merge local insight with global coverage. Capabilities and technology CyberCX has introduced several AI-powered security platforms, providing services such as detection and response, a sovereign secure cloud, and the CyberCX Academy for skills development. It also employs proprietary tools for security assessment and the gathering of cyber intelligence. This focus on technology aligns with findings from Accenture's State of Cybersecurity Resilience 2025 report, which identified that 97% of Australian organisations are not fully prepared to secure their AI-driven operations, while 80% currently lack fundamental data and AI cybersecurity practices to protect models and cloud infrastructure. Paolo Dal Cin, Global Lead for Accenture Cybersecurity, commented on the shared objectives between the two companies. "CyberCX and Accenture share a mission to harness the power of cyber to help our clients securely navigate change, accelerate business reinvention and build resilience against evolving threats. By combining Accenture's agentic AI capabilities with CyberCX's strong market leadership, innovative offerings and trusted C-suite and government relationships, we will enable clients across Asia Pacific to transform cybersecurity into a strategic advantage." Industry partners and expertise CyberCX has developed partnerships with major cybersecurity players, including Microsoft, Palo Alto Networks, and CrowdStrike. The provider is regularly recognised as a top managed service and system integrator in the region. Its workforce collectively holds over 2,600 industry certifications. Peter Burns, who leads Accenture's business in Australia and New Zealand, outlined the drivers behind the transaction. "Client demand for cybersecurity services is accelerating as data and digital environments become increasingly connected and heightened threats are exposed across operational value chains, supply chains and the enterprise. The need for responsible governance is also rising as AI and Quantum technologies advance. CyberCX's breadth of capabilities, trusted relationships with government and critical infrastructure organisations, and exceptional talent in the region, combined with Accenture's local and global scale and innovation, will help us meet this ever-increasing client need." Market growth and integration John Paitaridis, CEO of CyberCX, highlighted the firm's progress and the opportunities arising from the acquisition. "We are immensely proud of the business we have built, becoming one of the leading providers of cybersecurity services in the region. Joining Accenture's global cybersecurity organisation enables our exceptional people to combine forces with global capabilities and provide world-leading cybersecurity services to an even greater number of clients across Asia Pacific as we accelerate our growth in the region. Our shared mission for helping clients stay ahead of emerging threats and build resilience makes this a force multiplier." The acquisition is the latest in a series of steps by Accenture aimed at expanding its cybersecurity portfolio. Since 2015, the company has completed 20 acquisitions in this sector, including Morphus, MNEMO Mexico, and Innotec Security. The financial terms relating to the CyberCX transaction have not been specified. The closing of the deal is subject to regulatory approvals and other customary closing conditions.
Otago Daily Times
a day ago
- Otago Daily Times
Eliminating jobs and living on borrowed time
As ever, we are living on borrowed time. There's the familiar old threat of global nuclear war and the growing risk of global climate catastrophe, plus not-quite-world-ending potential disasters like global pandemics and untoward astronomical events (asteroid strikes, solar flares, etc.) Lots to worry about already, if you're that way inclined. So, it's understandable that the new kid on the block, artificial intelligence, has been having some trouble making its presence felt. Yet the so-called 'godfather of Artificial Intelligence', scientist Geoffrey Hinton, who last year was awarded the Nobel Prize for his work on AI, sees a 10% to 20% chance that AI will wipe out humanity in the next three decades. We will come back to that, but let's park it for the moment because the near-term risk of an AI crash is more urgent and easier to quantify. This is a financial crash of the sort that usually accompanies an exciting new technology, not an existential crisis, but it is definitely on its way. When railways were the hot new technology in the United States in the 1850s, for example, there were five different companies building railways between New York and Chicago. They all got built in the end, but most were no longer in the hands of the original investors and a lot of people lost their shirts. We are probably in the final phase of the AI investment frenzy right now. We're a generation on from the bubble of the early 2000s, so most people have forgotten about that one and are ready to throw their money at the next. There are reportedly now more than 200 AI "unicorns" — start-ups "valued" at $1 billion or more — so the end is nigh. The bitter fact that drives even the industry leaders into this folly is the knowledge that after the great shake-out not all of them will still be standing. For the moment, therefore, it makes sense for them to invest madly in the servers, data-centres, semiconductor chips and brain-power that will define the last companies standing. The key measure of investment is capex — capital expenditure — and it's going up like a rocket even from month to month. Microsoft is forecasting about $100b in capex for AI in the next fiscal year, Amazon will spend the same, Alphabet (Google) plans $85b, and Meta predicts between $66 and $72b. Like $100m sign-on fees for senior AI researchers who are being poached from one big tech firm by another, these are symptoms of a bubble about to burst and lots of people will lose their shirts, but it's just part of the cycle. AI will still be there afterwards, and many uses will be found for it. Unfortunately, most of them will destroy jobs. The tech giants themselves are eliminating jobs even as they grow their investments. Last year 549 US tech companies shed 150,000 workers, and this year they are disappearing even faster. If that phenomenon spreads across the whole economy — and why wouldn't it? — we can get to the apocalypse without any need for help from Skynet and the Terminator. People talk loosely about "Artificial General Intelligence" (AGI) as the Holy Grail, because it would be as nimble and versatile as human intelligence, just smarter — but as tech analyst Benedict Evans says, "We don't really have a theoretical model of why [current AI models] work so well, and what would have to happen for them to get to AGI. "It's like saying 'we're building the Apollo programme but we don't actually know how gravity works or how far away the Moon is, or how a rocket works, but if we keep on making the rocket bigger maybe we'll get there'." So the whole scenario of a super-intelligent computer becoming self-aware and taking over the planet remains far-fetched. Nevertheless, old-fashioned 2022-style generative AI will continue to improve, even if Large Language Models are really just machines that produce human-like text by estimating the likelihood that a particular word will appear next, given the text that has come before. Aaron Rosenberg, former head of strategy at Google's AI unit Deep Mind, reckons that no miraculous leaps of innovation are needed. "If you define AGI more narrowly as at least 80th-percentile human-level performance [better than four out of five people] in 80% of economically relevant digital tasks, then I think that's within reach in the next five years." That would enable us to eliminate at least half of the indoor jobs by 2030, but if the change comes that fast it will empower extremists of all sorts and create pre-revolutionary situations almost everywhere. That's a bit more complicated than the Skynet scenario for global nuclear war, but it's also a lot more plausible. Slow down. — Gwynne Dyer is an independent London journalist.
