AI-generated code is outperforming all existing manual remediation models: Nearly every company admits to shipping code they know is vulnerable

Checkmarx research found that 75% of organizations knowingly ship vulnerable code
Exploitation time is expected to be reduced to just one minute, posing urgent risks for some sectors.
Vibe-Coded Apps Created Entirely Using AI Chat Are Compounding Exposure

Artificial Intelligence (AI) has made it unaffordable for organizations to ship code they already know is vulnerable, but it appears they are doing it anyway, new research claims.

Security experts at Checkmarx found that shipping vulnerable code has become “standard operating behavior,” with 75% of organizations admitting that they often or sometimes deploy code that they already know is vulnerable.

The announcement suggests that companies were taking somewhat calculated risks: less than a decade ago (in 2018), the average time to exploit a software vulnerability was 840 days. That was more than enough time to ship a product, get it up and running, and then fix any problems along the way.

AI ex machina

However, AI tools have completely flipped the script: as argued in today’s report, it takes less than two days to exploit a vulnerability, and in less than two years, the time window for exploiting will be reduced even further, to just one minute.

Checkmarx says this warning will be “particularly relevant” to healthcare, given the fact that hospitals and health systems are already facing increasing ransomware attacks, third-party software risk, and growing regulatory pressure, especially after the Change Healthcare incident.

It seems that Vibe-coded apps (solutions created entirely through chat with an AI, without manual code review) will only exacerbate the problem. A recent Wired investigation suggested that many shake-encrypted web applications were being deployed with “weak or nonexistent authentication, exposed data, and basic security flaws.”

The report, which was published earlier this month, states that researchers found more than 5,000 apps that exposed corporate or personal data on the open web. It included medical data, financial information, internal corporate data, as well as customer chats.