Most Organizations Face Breaches Caused by Vulnerable Code, Survey Finds

Mike Vizard analyzes survey findings about the widespread impact of vulnerable code on organizational security, including the challenge of AI-generated code, adoption of security tools, and the ongoing evolution of DevSecOps practices.

Most Organizations Face Breaches Caused by Vulnerable Code, Survey Finds

Author: Mike Vizard

A recent survey involving 1,519 application security stakeholders reveals alarming statistics regarding the prevalence and impact of vulnerable code:

Key Findings

• 98% of respondents report working at organizations that experienced a breach attributed to vulnerable code.
• 81% admit to shipping code with known vulnerabilities to production.
• 27% suffered four or more breaches due to these vulnerabilities.
• 38% delivered vulnerable code due to pressures such as business needs or deadlines.

Major Risk Factors

• Top threat vectors for future incidents (next 18 months):
  • Software supply chain compromises (35%)
  • Third-party vendor/partner incidents (35%)
  • Cloud infrastructure misconfigurations (34%)
  • Insider threats/privileged access misuse (33%)
  • API security breaches or business logic attacks (32%)
• Emerging threats with low preparedness:
  • Attacks on CI/CD pipelines (14%)
  • Attacks on development environments (14%)
  • Supply chain and upstream dependency threats (14%)
  • Advanced API and business logic exploits (13%)
  • Security risks from generative AI in development workflows (12%)

Security Tool Adoption Gaps

• Less than 50% (excluding software development team leads) are using:
  • Infrastructure-as-Code (IaC) scanning tools (48%)
  • Dynamic Application Security Testing (DAST) tools (47%)

Developer Perspective and Organizational Challenges

• Developers often lack sufficient time to address security issues and face overwhelming numbers of alerts with little meaningful prioritization or risk context.
• Organizational pressure to deploy new features overrides thorough security review in many instances.

AI-Driven Security and Code Generation

• The article references Checkmarx’s release of the Checkmarx One Developer Assist, an AI-driven tool that integrates with IDEs to help developers address security risks in real time.

• Soon-to-launch Policy Assist and Insights Assist agents aim to improve software supply chain security further.

• Concerns are rising as AI-generated code becomes more common:
  • A third of surveyed developers said over 60% of their code is AI-generated.
  • Only 18% had organizational approval to use AI coding tools.
  • Much AI-generated code contains vulnerabilities, driven by flawed training data in large language models (LLMs).
  • 67% of all respondents say at least half of their applications’ codebase is open-source, introducing ongoing challenges for vulnerability management.

Ongoing DevSecOps Progress

• Adoption of DevSecOps practices is advancing, but significant challenges in securing code and the broader software supply chain remain stagewide.

References

• Survey article on DevOps.com
• Checkmarx One Developer Assist announcement

Summary

Modern application security faces escalating vulnerabilities—amplified by AI-generated code, open-source adoption, and fast-moving DevOps environments. Organizations and developers must prioritize comprehensive security practices and tool adoption to address these enduring threats.

This post appeared first on “DevOps Blog”. Read the entire article here