Developer Survey: 70% Know AI-Generated Code Is Insecure, Yet 30% Ship It to Production Anyway
Key Takeaways
- ▸70% of developers acknowledge AI-generated code has more vulnerabilities, but 30% deploy it to production anyway
- ▸AI-generated code represents 49% of production applications, with additional risk from 59% open-source dependencies
- ▸93% of organizations experienced security breaches from vulnerable applications despite having security tools available
Summary
A new survey by cybersecurity firm Checkmarx reveals a troubling disconnect between developer awareness of security risks in AI-generated code and their willingness to deploy it at scale. The research, conducted among 2,350 global developers, CISOs, and security professionals, found that 70% believe AI-generated code contains significantly more vulnerabilities than human-written code—yet 30% knowingly ship vulnerable AI-generated code into production anyway. AI-generated code now comprises approximately 49% of production applications, with an additional 59% of codebases built on open-source foundations that carry their own security risks.
The survey paints a dire picture of application security in the AI-assisted development era. Despite 93% of respondents reporting security breaches from vulnerable applications, organizations continue to prioritize deployment speed over security rigor. The primary barriers cited include pressure to ship quickly, difficulty remediating complex vulnerabilities, and reliance on downstream controls to catch problems. Checkmarx describes this phenomenon as 'normalization of risk'—a systematic acceptance of vulnerability that permeates the development lifecycle. The research also reveals that LLMs, trained primarily on public code repositories, tend to perpetuate existing vulnerabilities and often favor outdated programming practices over modern security features.
- Speed-to-deployment pressure and difficulty fixing vulnerabilities are cited as primary reasons for accepting security risks
- LLMs perpetuate training data vulnerabilities and favor outdated practices over modern secure alternatives
Editorial Opinion
This survey exposes a fundamental failure of accountability in the AI-driven development ecosystem. Developers can no longer claim ignorance—they now have empirical evidence that AI-generated code is riskier, yet continue deploying it at scale. The gap between having security tools and using them reveals an organizational and cultural problem, not a technical one. As AI productivity gains accelerate development cycles, security practices are being left behind, creating compounding systemic risk. Companies that prioritize security discipline alongside AI velocity will ultimately outcompete those gambling with vulnerable code.
