Latest news with #ChrisWysopal
Forbes
31-07-2025
- Forbes
How A Clash Of Cultures Changed Software Security Forever
Chris Wysopal is Founder and Chief Security Evangelist at Veracode. In 1998, I found myself in an unexpected place: testifying before the U.S. Senate about computer security alongside my fellow L0pht members. We weren't executives or policymakers—we were hackers. But our message was clear: something had to change. Software was being shipped with critical vulnerabilities, and no one was being held accountable. We got to the Senate floor because we made noise. We did full disclosure. We forced uncomfortable conversations. We weren't seeking notoriety; we were advocating for a safer digital world. Back then, responsible disclosure was ad hoc and adversarial. The tools we built and the research we published were often seen as threats rather than contributions. But we believed that exposing systemic flaws was the only way to compel progress. That mindset of transparency as a driver of accountability feels more relevant than ever. Today's threat landscape is shaped by AI, automation and hyperconnectivity. Just as we once exposed buffer overflows and insecure protocols, today's researchers are surfacing flaws in machine learning models, hallucinated code and autonomous agents. The same principle applies: visibility must precede security. You can't fix what you can't see. Leaders need to prepare for vulnerability discovery at machine speed. Create pathways to disclose flaws uncovered by AI systems, whether in third-party code or your own models. Build red-teaming capabilities for your AI stack, and design systems that reward (not resist) the signals surfaced by independent researchers. At first, L0pht operated outside the system because the system wouldn't listen. But over time, things changed. We sat down with Microsoft in the late 1990s to explain our intent. We weren't trying to embarrass anyone. We just believed users deserved to know when protocols were insecure. That conversation led to coordinated disclosure policies and, later, acknowledgment of researchers in vendor advisories. The lesson we learned—that collaboration beats confrontation—should guide leaders today. Security isn't just a technical function; it's a human one. And culture determines whether people share what they know. CISOs should create internal equivalents of coordinated disclosure. Your engineers, product managers and legal teams must feel empowered to raise issues, even when they're inconvenient. Normalize the flow of uncomfortable truths. Adopt a blameless disclosure culture. And externally, build partnerships with the open-source community, independent researchers and other vendors that make collaboration frictionless and high-trust. Our philosophy at L0pht was 'hack everything.' The goal was never just to break things, but to understand them. Security, to us, wasn't about checking boxes. It was about gaining a deeper grasp of how systems worked so we could make them safer. That approach shaped the work we did when we joined @stake in 2000 and, later, consulted with Microsoft to help secure products such as Internet Explorer 6. Our team introduced methodologies like threat modeling, fuzzing and runtime attack surface analysis that became foundational to Microsoft's Security Development Lifecycle. Today, the pressure to move fast is orders of magnitude greater than it was back in our L0pht days. Leaders are constantly balancing innovation with compliance and risk mitigation, but the real opportunity lies in embedding security into the innovation process itself. Partner with engineering early in the development cycle. Build threat modeling into product design. View security not as a bottleneck but as a catalyst for better code and more resilient systems. The faster you move, the earlier security needs to be involved, because it's far more expensive and disruptive to fix things after the fact. At its core, L0pht wasn't just a lab or a company. It was a culture. We shared tools, ideas and research openly because we believed in democratizing knowledge. That spirit helped seed today's bug bounty programs, open-source security tooling and responsible disclosure norms. As AI reshapes development, security and infrastructure, leaders need to cultivate a similar culture of curiosity and principled dissent. Hire for grit and creativity, not just credentials. Promote the quiet truth-tellers. Build psychological safety so people feel safe flagging issues even when it's politically risky. Security today isn't just about firewalls and encryption; it's about culture. And the most resilient organizations are the ones where people feel empowered to speak up, challenge assumptions and think like attackers, because they want to protect what matters. It's easy to forget how radical it once was for a vendor to listen to a hacker. But that's the shift we helped drive in the early 2000s: from antagonism to collaboration—from underground to boardroom. Today, security researchers have a seat at the table, but the lessons of the past still apply. Vulnerabilities don't get fixed because we wish them away. They get fixed because someone insists that they can't be ignored. That insistence, combined with collaboration, transparency and a willingness to embrace uncomfortable truths, is what made the difference then. It's what still makes the difference now. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Yahoo
11-06-2025
- Business
- Yahoo
Public Sector Application Risk Accumulates as Security Debt Grows Across Government Systems
Veracode's Public Sector State of Software Security 2025 Report Reveals 78% of Government Organizations Operate with Unaddressed Security Flaws, with Critical Vulnerabilities Persisting for Years BURLINGTON, Mass., June 11, 2025--(BUSINESS WIRE)--Veracode, a global leader in application risk management, today released its Public Sector State of Software Security 2025 report, revealing alarming trends in software security across government organizations. Drawing from an extensive analysis of 1.3 million unique applications and 126.4 million raw findings, the research shows 78 percent of public sector organizations are operating with significant security debt—flaws left unaddressed for more than a year. Moreover, 55 percent are burdened with 'critical' security debt, representing long-standing vulnerabilities with severe risk potential. Public Sector Security Debt Exceeds Industry Average In an era where public trust and digital infrastructure security are paramount, the public sector continues to struggle with timely vulnerability remediation. The research reveals that public sector entities require an average of 315 days to fix half their software vulnerabilities—significantly higher than the overall average of 252 days. This 63-day delay creates substantial windows of opportunity for potential application-layer attacks and data breaches. The data further reveals that even after two years, one-third of security flaws in government applications remain unresolved, with 15 percent persisting for more than five years. This prolonged remediation (depicted in the survival curve in Fig. 1) illustrates how unaddressed vulnerabilities accumulate into widespread security debt. "Many government organizations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed," said Chris Wysopal, Chief Security Evangelist at Veracode. "Our research highlights an urgent need for the public sector to modernize its security practices, especially when it comes to managing risk in open-source software." Veracode collaborates directly with public sector agencies to tackle these cybersecurity challenges. Backed by findings from more than 360 trillion lines of code analyzed over two decades, the Veracode platform provides comprehensive risk visibility from design through deployment, enabling organizations to remediate vulnerabilities with speed and precision. Third-Party Code Presents Disproportionate Risk Profile A particularly concerning finding reveals that while third-party and open-source code comprise less than 10 percent of overall security debt, they account for a staggering 70 percent of critical security debt in government systems. Worse yet, these flaws take approximately 50 percent longer to fix compared to flaws in first-party software developed internally. Wysopal said, "This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies. Without extending visibility and remediation efforts beyond internal code, public sector entities risk leaving the most dangerous flaws unaddressed. As the use of AI-generated code increases across organizations, comprehensive open-source analysis is more essential than ever to prevent hidden flaws from slipping through." Security Maturity Benchmarks Reveal Performance Disparities Despite overall concerning trends, Veracode's research reveals leading government agencies are successfully reducing security debt and resolving vulnerabilities nearly four times faster than others. These high-performing organizations demonstrate that meaningful improvement is achievable, offering a clear path forward for peers looking to strengthen their software security posture. The report identifies five key metrics that measure an organization's application security maturity and debt management capability, revealing distinct performance gaps between leading and lagging public sector organizations: Flaw Prevalence: Leading agencies have flaws in fewer than 33 percent of applications, while lagging agencies show flaws in 100 percent of their applications. Remediation Capacity: Leaders address more than nine percent of flaws monthly, compared to just 0.1 percent for laggards. Resolution Speed: Top performers resolve half of their flaws within 3.3 months, while bottom performers take more than 11 months for similar results. Security Debt Prevalence: Less than 26 percent of applications in leading agencies carry security debt, compared to more than 85 percent in lagging organizations. Open-Source Debt: Even among leaders, 84 percent of applications contain open-source critical debt, rising to 100 percent for lagging peers. "The disparity between top- and bottom-performing government organizations is striking and raises important questions about the factors that make a material difference to security posture," added Wysopal. "This data provides public sector security teams with a clear framework to assess their maturity, identify gaps, and improve their performance based on the practices of top-performing agencies." A Clear Call to Action As public sector organizations face mounting cyber threats and expanding regulatory compliance requirements, Veracode recommends two strategic shifts: Implement Risk-Based Prioritization: Deploy context-driven security posture management capabilities that correlate findings from multiple security tools and data sources. Advanced solutions like Veracode Risk Manager surface the most exploitable and urgent vulnerabilities, offering automated resolution. Enhance Comprehensive Visibility: Establish continuous scanning and developer enablement across the complete software development lifecycle. Proactive flaw identification before deployment remains the most cost-effective and impactful AppSec investment. Wysopal concluded, "In today's threat landscape, security debt is no longer an acceptable risk. With the right focus, metrics, and automation, public sector agencies can take control of their software risk and build resilience into every release." With application risk accumulating across government systems, federal, state, and local agencies must balance mission-critical service delivery with effective cybersecurity risk management. Veracode's comprehensive application risk management platform helps agencies navigate these competing demands through accelerated risk remediation, data-driven vulnerability prioritization, and automated risk assessment capabilities that build organizational resilience against evolving threats. This is especially important as AI-generated code and open-source dependencies introduce new complexity into software development processes. The complete Public Sector State of Software Security 2025 report is available to download on the Veracode website. About Veracode Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world's leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, Malicious Package Detection, and Penetration Testing. Learn more at on the Veracode blog, and on LinkedIn and X. Copyright © 2025 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands, or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners. View source version on Contacts Press and Media: Katy GwilliamHead of Global Communications, Veracodekgwilliam@
Business Wire
11-06-2025
- Business
- Business Wire
Public Sector Application Risk Accumulates as Security Debt Grows Across Government Systems
BURLINGTON, Mass.--(BUSINESS WIRE)-- Veracode, a global leader in application risk management, today released its Public Sector State of Software Security 2025 report, revealing alarming trends in software security across government organizations. Drawing from an extensive analysis of 1.3 million unique applications and 126.4 million raw findings, the research shows 78 percent of public sector organizations are operating with significant security debt—flaws left unaddressed for more than a year. Moreover, 55 percent are burdened with 'critical' security debt, representing long-standing vulnerabilities with severe risk potential. Veracode Public Sector State of Software Security 2025 report reveals alarming trends in software security. 78% of government organizations are operating with significant security debt, while 55% are burdened with 'critical' security debt. Share Public Sector Security Debt Exceeds Industry Average In an era where public trust and digital infrastructure security are paramount, the public sector continues to struggle with timely vulnerability remediation. The research reveals that public sector entities require an average of 315 days to fix half their software vulnerabilities—significantly higher than the overall average of 252 days. This 63-day delay creates substantial windows of opportunity for potential application-layer attacks and data breaches. The data further reveals that even after two years, one-third of security flaws in government applications remain unresolved, with 15 percent persisting for more than five years. This prolonged remediation (depicted in the survival curve in Fig. 1) illustrates how unaddressed vulnerabilities accumulate into widespread security debt. 'Many government organizations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed,' said Chris Wysopal, Chief Security Evangelist at Veracode. 'Our research highlights an urgent need for the public sector to modernize its security practices, especially when it comes to managing risk in open-source software.' Veracode collaborates directly with public sector agencies to tackle these cybersecurity challenges. Backed by findings from more than 360 trillion lines of code analyzed over two decades, the Veracode platform provides comprehensive risk visibility from design through deployment, enabling organizations to remediate vulnerabilities with speed and precision. Third-Party Code Presents Disproportionate Risk Profile A particularly concerning finding reveals that while third-party and open-source code comprise less than 10 percent of overall security debt, they account for a staggering 70 percent of critical security debt in government systems. Worse yet, these flaws take approximately 50 percent longer to fix compared to flaws in first-party software developed internally. Wysopal said, 'This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies. Without extending visibility and remediation efforts beyond internal code, public sector entities risk leaving the most dangerous flaws unaddressed. As the use of AI-generated code increases across organizations, comprehensive open-source analysis is more essential than ever to prevent hidden flaws from slipping through.' Security Maturity Benchmarks Reveal Performance Disparities Despite overall concerning trends, Veracode's research reveals leading government agencies are successfully reducing security debt and resolving vulnerabilities nearly four times faster than others. These high-performing organizations demonstrate that meaningful improvement is achievable, offering a clear path forward for peers looking to strengthen their software security posture. The report identifies five key metrics that measure an organization's application security maturity and debt management capability, revealing distinct performance gaps between leading and lagging public sector organizations: Flaw Prevalence: Leading agencies have flaws in fewer than 33 percent of applications, while lagging agencies show flaws in 100 percent of their applications. Remediation Capacity: Leaders address more than nine percent of flaws monthly, compared to just 0.1 percent for laggards. Resolution Speed: Top performers resolve half of their flaws within 3.3 months, while bottom performers take more than 11 months for similar results. Security Debt Prevalence: Less than 26 percent of applications in leading agencies carry security debt, compared to more than 85 percent in lagging organizations. Open-Source Debt: Even among leaders, 84 percent of applications contain open-source critical debt, rising to 100 percent for lagging peers. 'The disparity between top- and bottom-performing government organizations is striking and raises important questions about the factors that make a material difference to security posture,' added Wysopal. 'This data provides public sector security teams with a clear framework to assess their maturity, identify gaps, and improve their performance based on the practices of top-performing agencies.' A Clear Call to Action As public sector organizations face mounting cyber threats and expanding regulatory compliance requirements, Veracode recommends two strategic shifts: Implement Risk-Based Prioritization: Deploy context-driven security posture management capabilities that correlate findings from multiple security tools and data sources. Advanced solutions like Veracode Risk Manager surface the most exploitable and urgent vulnerabilities, offering automated resolution. Enhance Comprehensive Visibility: Establish continuous scanning and developer enablement across the complete software development lifecycle. Proactive flaw identification before deployment remains the most cost-effective and impactful AppSec investment. Wysopal concluded, 'In today's threat landscape, security debt is no longer an acceptable risk. With the right focus, metrics, and automation, public sector agencies can take control of their software risk and build resilience into every release.' With application risk accumulating across government systems, federal, state, and local agencies must balance mission-critical service delivery with effective cybersecurity risk management. Veracode's comprehensive application risk management platform helps agencies navigate these competing demands through accelerated risk remediation, data-driven vulnerability prioritization, and automated risk assessment capabilities that build organizational resilience against evolving threats. This is especially important as AI-generated code and open-source dependencies introduce new complexity into software development processes. The complete Public Sector State of Software Security 2025 report is available to download on the Veracode website. About Veracode Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world's leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, Malicious Package Detection, and Penetration Testing. Learn more at on the Veracode blog, and on LinkedIn and X. Copyright © 2025 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands, or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners.
Yahoo
11-06-2025
- Business
- Yahoo
Public Sector Application Risk Accumulates as Security Debt Grows Across Government Systems
Veracode's Public Sector State of Software Security 2025 Report Reveals 78% of Government Organizations Operate with Unaddressed Security Flaws, with Critical Vulnerabilities Persisting for Years BURLINGTON, Mass., June 11, 2025--(BUSINESS WIRE)--Veracode, a global leader in application risk management, today released its Public Sector State of Software Security 2025 report, revealing alarming trends in software security across government organizations. Drawing from an extensive analysis of 1.3 million unique applications and 126.4 million raw findings, the research shows 78 percent of public sector organizations are operating with significant security debt—flaws left unaddressed for more than a year. Moreover, 55 percent are burdened with 'critical' security debt, representing long-standing vulnerabilities with severe risk potential. Public Sector Security Debt Exceeds Industry Average In an era where public trust and digital infrastructure security are paramount, the public sector continues to struggle with timely vulnerability remediation. The research reveals that public sector entities require an average of 315 days to fix half their software vulnerabilities—significantly higher than the overall average of 252 days. This 63-day delay creates substantial windows of opportunity for potential application-layer attacks and data breaches. The data further reveals that even after two years, one-third of security flaws in government applications remain unresolved, with 15 percent persisting for more than five years. This prolonged remediation (depicted in the survival curve in Fig. 1) illustrates how unaddressed vulnerabilities accumulate into widespread security debt. "Many government organizations are facing growing challenges in keeping up with vulnerability remediation, potentially leaving critical systems and data that run essential government services exposed," said Chris Wysopal, Chief Security Evangelist at Veracode. "Our research highlights an urgent need for the public sector to modernize its security practices, especially when it comes to managing risk in open-source software." Veracode collaborates directly with public sector agencies to tackle these cybersecurity challenges. Backed by findings from more than 360 trillion lines of code analyzed over two decades, the Veracode platform provides comprehensive risk visibility from design through deployment, enabling organizations to remediate vulnerabilities with speed and precision. Third-Party Code Presents Disproportionate Risk Profile A particularly concerning finding reveals that while third-party and open-source code comprise less than 10 percent of overall security debt, they account for a staggering 70 percent of critical security debt in government systems. Worse yet, these flaws take approximately 50 percent longer to fix compared to flaws in first-party software developed internally. Wysopal said, "This disproportionate risk highlights the importance of securing software supply chains and carefully vetting open-source dependencies. Without extending visibility and remediation efforts beyond internal code, public sector entities risk leaving the most dangerous flaws unaddressed. As the use of AI-generated code increases across organizations, comprehensive open-source analysis is more essential than ever to prevent hidden flaws from slipping through." Security Maturity Benchmarks Reveal Performance Disparities Despite overall concerning trends, Veracode's research reveals leading government agencies are successfully reducing security debt and resolving vulnerabilities nearly four times faster than others. These high-performing organizations demonstrate that meaningful improvement is achievable, offering a clear path forward for peers looking to strengthen their software security posture. The report identifies five key metrics that measure an organization's application security maturity and debt management capability, revealing distinct performance gaps between leading and lagging public sector organizations: Flaw Prevalence: Leading agencies have flaws in fewer than 33 percent of applications, while lagging agencies show flaws in 100 percent of their applications. Remediation Capacity: Leaders address more than nine percent of flaws monthly, compared to just 0.1 percent for laggards. Resolution Speed: Top performers resolve half of their flaws within 3.3 months, while bottom performers take more than 11 months for similar results. Security Debt Prevalence: Less than 26 percent of applications in leading agencies carry security debt, compared to more than 85 percent in lagging organizations. Open-Source Debt: Even among leaders, 84 percent of applications contain open-source critical debt, rising to 100 percent for lagging peers. "The disparity between top- and bottom-performing government organizations is striking and raises important questions about the factors that make a material difference to security posture," added Wysopal. "This data provides public sector security teams with a clear framework to assess their maturity, identify gaps, and improve their performance based on the practices of top-performing agencies." A Clear Call to Action As public sector organizations face mounting cyber threats and expanding regulatory compliance requirements, Veracode recommends two strategic shifts: Implement Risk-Based Prioritization: Deploy context-driven security posture management capabilities that correlate findings from multiple security tools and data sources. Advanced solutions like Veracode Risk Manager surface the most exploitable and urgent vulnerabilities, offering automated resolution. Enhance Comprehensive Visibility: Establish continuous scanning and developer enablement across the complete software development lifecycle. Proactive flaw identification before deployment remains the most cost-effective and impactful AppSec investment. Wysopal concluded, "In today's threat landscape, security debt is no longer an acceptable risk. With the right focus, metrics, and automation, public sector agencies can take control of their software risk and build resilience into every release." With application risk accumulating across government systems, federal, state, and local agencies must balance mission-critical service delivery with effective cybersecurity risk management. Veracode's comprehensive application risk management platform helps agencies navigate these competing demands through accelerated risk remediation, data-driven vulnerability prioritization, and automated risk assessment capabilities that build organizational resilience against evolving threats. This is especially important as AI-generated code and open-source dependencies introduce new complexity into software development processes. The complete Public Sector State of Software Security 2025 report is available to download on the Veracode website. About Veracode Veracode is a global leader in Application Risk Management for the AI era. Powered by trillions of lines of code scans and a proprietary AI-assisted remediation engine, the Veracode platform is trusted by organizations worldwide to build and maintain secure software from code creation to cloud deployment. Thousands of the world's leading development and security teams use Veracode every second of every day to get accurate, actionable visibility of exploitable risk, achieve real-time vulnerability remediation, and reduce their security debt at scale. Veracode is a multi-award-winning company offering capabilities to secure the entire software development life cycle, including Veracode Fix, Static Analysis, Dynamic Analysis, Software Composition Analysis, Container Security, Application Security Posture Management, Malicious Package Detection, and Penetration Testing. Learn more at on the Veracode blog, and on LinkedIn and X. Copyright © 2025 Veracode, Inc. All rights reserved. Veracode is a registered trademark of Veracode, Inc. in the United States and may be registered in certain other jurisdictions. All other product names, brands, or logos belong to their respective holders. All other trademarks cited herein are property of their respective owners. View source version on Contacts Press and Media: Katy GwilliamHead of Global Communications, Veracodekgwilliam@ Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Forbes
03-04-2025
- Forbes
How To Secure Software In The GenAI Coding Era
Chris Wysopal is Founder and Chief Security Evangelist at Veracode. Generative artificial intelligence (GenAI) has very quickly established a foothold among code developers as an essential tool in their workflow. Developers have shifted from the traditional code reuse model to generating new code snippets by prompting GenAI, leading to a significant change in software development dynamics. It's easy to see why, as the merits are well-documented. GenAI-driven generation of code comes with an unquestioned productivity boost. Research from Microsoft has shown that developers using GenAI were able to complete 26% more tasks on average, increase the number of code commits by 13.5% and increase builds by 38.4%. In the competitive marketplace where every company and developer is looking for an edge, these numbers reinforce the obvious: The GenAI co-generation era is here to stay. The productivity boost from GenAI is clear, but it creates tension with the industry's increasing push to secure coding and software security. Traditionally, developers wrote code over an extended period of time—weeks or even months—then tested it for vulnerabilities before production deployment. That approach changed with DevOps, which emphasized writing, testing and deploying smaller chunks of code in rapid cycles. To address security concerns in this agile environment, the DevSecOps movement emerged, embedding security testing tools directly into the development pipeline. Now, AI-driven code generation has further accelerated this cycle. While code reuse decreases and code velocity increases in this new paradigm, vulnerability density remains consistent because the large language models (LLMs) that developers are using are often trained on open-source datasets rife with existing security flaws. With far more output at the same vulnerability density, faster code production leads to a proportional increase in vulnerabilities. Recent studies back up these concerns. New York University researchers found that 40% of code produced by Microsoft's Copilot AI contained known security vulnerabilities, while a similar study from Wuhan University found security weaknesses in 30% of Python and 24% of JavaScript Copilot-generated code snippets. Despite this, developers often perceive AI-generated code to be more secure than it is. Stanford University found that developers using LLMs were more likely to write insecure code while being overly confident about its security. To fully leverage AI-assisted development, the first step is to approach code co-generation with open eyes. Organizations must acknowledge and actively counter the human biases that lead to overconfidence in AI-generated content. The data says that LLMs are fallible and likely to introduce just as many (if not more) security flaws as their human counterparts, but it's up to the developers to heed that important warning. Developers must also understand that the quality of AI-generated code is only as good as the dataset on which it was trained. If the training data includes vulnerable open-source code, those vulnerabilities will likely surface in the generated output. Using curated datasets known to include more secure code and incorporating security considerations into any GenAI prompts are important steps that will help developers ensure a foundation of secure AI co-generation. The increased velocity of vulnerability introduction has already gone beyond what human remediation can handle. Veracode's State of Software Security Report (SoSS) found that only 20% of applications achieve a monthly fix rate exceeding 10% of identified flaws. Persistent high-severity vulnerabilities, or "security debt" (i.e., security flaws in code that are unfixed for more than one year), continue to accumulate as a result. As that debt adds up, it leads to more compliance risks, security alerts and quality issues. The only way to keep pace is to fight fire with fire in the form of AI-assisted remediation tools. These solutions offer a way to address security issues without expanding development teams or diverting their focus from core objectives. As GenAI reshapes software development, security automation will become increasingly essential. From vulnerability detection to automated fixes, integrating AI into the security pipeline will ensure a balance between speed and security. Developers will use GenAI as part of the software development process moving forward. The industry is simply too competitive to leave that bump in productivity on the table. But companies need to take a realistic approach, which means a complete reevaluation of security practices to address the risks inherent in AI-generated code. By automating security processes and leveraging AI-powered remediation tools, developers can harness the full potential of GenAI while maintaining robust security standards. The era of GenAI demands faster code development and smarter, AI-driven security measures to ensure that the threat of vulnerability proliferation is kept in check. Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
