Veracode’s newly released 2025 State of Generative AI and Code Security Report has revealed that nearly half of all AI-generated code contains security vulnerabilities.
The study evaluated over 100 AI models across multiple programming languages—Java, Python, JavaScript, and C#—and found that 45 percent of generated code failed basic security checks.
Many of these failures included vulnerabilities such as cross-site scripting and log injection. The report provides important insights for developers and organizations adopting AI tools in software development.
Key findings
The study involved over 80 programming tasks designed to assess whether AI tools could choose secure coding approaches when both secure and insecure options were available. Alarmingly, in 45 percent of tasks, AI models generated insecure code despite the presence of safer alternatives.
Security failure rates by language:
- Java: 72 percent failure rate
- Python: 38 percent
- JavaScript: 43 percent
- C#: 45 percent
Among the most common vulnerabilities were:
- Cross-site scripting (CWE-80): Detected in 86 percent of relevant tasks
- Log injection (CWE-117): Found in 88 percent of cases
These issues often arise because generative models replicate patterns from training data without a full understanding of secure programming practices.
AI model size does not equal better security
Despite advancements in large language models (LLMs), the report found that newer and larger models do not produce more secure code than older or smaller ones.
This suggests that model architecture and size have minimal influence on security performance, and that LLMs are not currently trained to prioritize secure practices.
Instead, most models tend to focus on producing code that appears functionally correct but may be insecure. This highlights a fundamental flaw in how these systems are trained and evaluated.
Hidden security risks in software supply chains
The report warns that AI-generated code is increasingly entering systems indirectly. Open-source projects, external development teams, and even low-code platforms often rely on generative AI tools.
As a result, many organizations may unknowingly deploy vulnerable code, increasing their exposure to cyber threats. Veracode stresses the importance of scanning both internal and third-party codebases for vulnerabilities, regardless of the source.
Recommendations for development teams
To address these risks, Veracode recommends the following practices:
- Conduct Static Application Security Testing (SAST) on all AI-generated code
- Use Software Composition Analysis (SCA) to check dependencies and third-party libraries
- Integrate security tools into coding workflows and agentic AI tools
- Apply AI-powered remediation tools like Veracode Fix to suggest secure code replacements
These measures help teams detect and fix vulnerabilities before deployment, reducing the chance of exploitation.
Our thoughts
From a Malaysian developer’s perspective, using generative AI tools can save time, but this report shows why it is essential not to cut corners on security.
The convenience of auto-generated code must be balanced with responsible oversight. For teams in Malaysia exploring AI-assisted development, integrating proper testing tools is no longer optional—it is a necessity.
Are your AI-powered development tools generating more risk than reward? Would your systems catch a cross-site scripting flaw introduced by a model?
Veracode’s report is a timely reminder that even free or open-source AI tools can cost you in the long run—if vulnerabilities slip through undetected.
Stay tuned to TechNave.com for more updates.
COMMENTS