Survey Highlights Security Breaches Linked to Vulnerable Code in DevOps

Mike Vizard examines a major survey that reveals most organizations face security breaches from vulnerable code, exploring DevOps and AI-related risks and best practices for application security.

Survey Highlights Security Breaches Linked to Vulnerable Code in DevOps

Author: Mike Vizard

Overview

A recent survey of 1,519 application security stakeholders, conducted by Censuswide for Checkmarx, exposes the extensive risks organizations face due to vulnerable code. Nearly 98% of organizations reported experiencing a breach because of known vulnerabilities, and 81% admit to deploying vulnerable code into production under deadline or business pressures.

Key Findings

• Frequent Breaches:
  • 27% suffered four or more breaches due to vulnerable code.
  • 38% admit business or feature deadlines have led to shipping known vulnerabilities.
• Risk Anticipation:
  • Around one-third expect more incidents in the next 18 months.
  • Top security concerns: software supply chain compromise (35%), third-party vendor incidents (35%), misconfigurations in cloud infrastructure (34%), insider threats (33%), and API/business logic attacks (32%).
• Preparedness Gaps:
  • Less than 15% feel ready to handle threats such as attacks on CI/CD pipelines, emerging tech, supply chain attacks, and generative AI-related risks.
• Security Tool Adoption:
  • Fewer than half (excluding team leads) actively use tools like infrastructure-as-code (IaC) scanning (48%) or dynamic application security testing (DAST) (47%).
• Use of AI Tools:
  • With AI coding tools on the rise, over 60% of code at some organizations is AI-generated, but only 18% have AI tool use officially approved.
  • Many AI-generated code samples contain vulnerabilities because large language models are often trained on flawed public code samples.
• Open Source Exposure:
  • Over two-thirds say at least half of their codebase is open source, introducing potential uncontrolled vulnerabilities.

Industry Insights

Checkmarx’s VP of Portfolio Marketing, Eran Kinsbruner, notes that developers are overwhelmed by security alerts and lack the time and context to address risks. Checkmarx is responding by integrating AI capabilities, such as Developer Assist, into their security platform, supporting developers directly in their IDEs. Upcoming releases like Policy Assist and Insights Assist aim to further streamline risk detection and mitigation.

AI and Security Challenges

• The increasing adoption of AI coding tools is accelerating code delivery but also risking security, as AI-generated code can inherit and propagate existing vulnerabilities.
• Best practice: organizations need to vet both AI-generated and open-source code and ensure rigorous security testing as part of the DevOps lifecycle.

DevSecOps Adoption

While organizations are improving DevSecOps workflows, the report stresses the ongoing need for cultural and toolset adoption to keep pace with evolving threats.

---

Links:

• Checkmarx Developer Assist Press Release
• Full Survey Summary

Takeaways

• Security breaches due to vulnerable code remain common, exacerbated by business pressures, AI-generated code, and open-source software.
• Organizations should adopt comprehensive security tooling, integrate security into DevOps workflows (DevSecOps), and address cultural challenges in code delivery.
• The adoption of AI in code generation and security tooling is expected to grow, requiring increased focus on both the threats and the opportunities it introduces.

This post appeared first on “DevOps Blog”. Read the entire article here