Cyber security
Summary is AI-generated, newsdesk-reviewed
  • AI-generated code adoption grows, but governance lags behind among surveyed organisations.
  • 81% of organisations knowingly deploy vulnerable code, risking API breaches via shadow APIs.
  • Security integration vital: Embedding 'code-to-cloud' practices can close readiness gaps.

Checkmarx, the pioneer in agentic AI-powered application security, released the results of its annual survey titled “Future of Application Security in the Era of AI,” offering a candid assessment of how AI‑accelerated development is reshaping the risk landscape and how to prepare for the year ahead.

The study surveyed more than 1,500 CISOs, AppSec managers and developers across North America, Europe and Asia‑Pacific to understand how organisations are adapting to a world where software is increasingly written by machines.

AI‑generated code

Half of respondents already use AI security code assistants and 34% admit that more than 60%

The findings paint a stark picture: AI‑generated code is becoming mainstream, but governance is lagging. Half of respondents already use AI security code assistants and 34% admit that more than 60% of their code is AI‑generated. 

Yet only 18% have policies governing this use. The growing adoption of AI coding assistants is eroding developer ownership and expanding the attack surface.

Expect API breaches

The research also shows that business pressure is normalising risky practices. Eighty‑one percent of organisations knowingly ship vulnerable code, and 98% experienced a breach stemming from vulnerable code in the past year, that’s a sharp rise from 91% in 2024.

Within the next 12 to 18 months, nearly a third (32%) of respondents expect Application Programming Interface (API) breaches via shadow APIs or business logic attacks.

Application security tools

Despite these realities, fewer than half of the respondents report deploying foundational security tools

Despite these realities, fewer than half of the respondents report deploying foundational security tools, such as using mature application security tools, such as dynamic application security testing (DAST) or infrastructure‑as‑code scanning. 

While DevSecOps is widely discussed industry-wide, only half of organisations surveyed actively use core tools and just 51% of North American organisations report adopting DevSecOps.

Velocity of AI‑assisted development

The velocity of AI‑assisted development means security can no longer be a bolt‑on practice. It has to be embedded from code to cloud,” said Eran Kinsbruner, vice president of portfolio marketing.

Our research shows that developers are already letting AI write much of their code, yet most organisations lack governance around these tools. Combine that with the fact that 81% knowingly ship vulnerable code and you have a perfect storm. It’s only a matter of time before a crisis is at hand.”

Six strategic imperatives

The report outlines six strategic imperatives for closing the application security readiness gap

The report outlines six strategic imperatives for closing the application security readiness gap: move from awareness to action, embed “code‑to‑cloud” security, govern AI use in development, operationalise security tools, prepare for agentic AI in AppSec, and cultivate a culture of developer empowerment.

Kinsbruner added: “To stay ahead, organisations must operationalise security tooling that is focused on prevention. They need to establish policies for AI usage and invest in agentic AI that can automatically analyse and fix issues in real-time. AI-generated code will continue to proliferate; secure software will be the competitive differentiator in the coming years.”

Embedding security into development

Chris Ledingham, Director Northern Europe, comments: “Our research found that nearly one third, 32%, of European respondents say their organisation often deploys code with known vulnerabilities, compared with 24% of those in North America. This suggests the need for a stronger focus across our region on embedding security into development."

"With AI now writing much of the code base, security pioneers face heightened accountability. Boards and regulators will rightly expect CISOs to implement robust governance for AI generated code and to ensure vulnerable software isn’t being pushed to production.”

Checkmarx’s announcement of general availability

The release of this report follows Checkmarx’s announcement of general availability of its Developer Assist agent, with extensions to top AI-native Integrated Development Environments (IDEs), including Windsurf by Cognition, Cursor, and GitHub Copilot. 

This new agent—the first in a family of agentic-AI tools to enhance security for developers, AppSec pioneers, and CISO’s alike—delivers real-time, context-aware issue identification and guidance to developers as they code for autonomous prevention.   

Download the full “Future of Application Security in the Era of AI” report at Checkmarx website to learn how organisations can navigate the AI‑accelerated risk landscape and build secure‑by‑default development practices.

From facial recognition to LiDAR, explore the innovations redefining gaming surveillance

Related white papers
Aligning physical and cyber defence for total protection

Aligning physical and cyber defence for total protection

Download
Combining security and networking technologies for a unified solution

Combining security and networking technologies for a unified solution

Download
System design considerations to optimize physical access control

System design considerations to optimize physical access control

Download
Related articles
How physical security consultants ensure cybersecurity for end users

How physical security consultants ensure cybersecurity for end users
How managed detection and response enhances cybersecurity management in organisations

How managed detection and response enhances cybersecurity management in organisations
Drawbacks of PenTests and ethical hacking for the security industry

Drawbacks of PenTests and ethical hacking for the security industry