AI-generated code outperforms all existing manual remediation models”: Almost every company admits to shipping code they know is vulnerable.

A Checkmarx study found that 75% of organizations knowingly ship vulnerable code.
The operating time window is expected to be reduced to just one minute, raising urgent risks for some sectors.
Vibe Coded Apps, Created Entirely Through AI Chat, Worsen Exposure

Artificial intelligence (AI) has made it unaffordable for organizations to ship code they already know is vulnerable, but they appear to be doing it anyway, according to new research.

Security experts Checkmarx found that sending vulnerable code has become “standard operational behavior”, with 75% of organizations admitting that they often or sometimes deploy code that they already know is vulnerable.

The announcement suggests that companies were taking somewhat calculated risks: less than a decade ago (in 2018), the average time to exploit a software vulnerability was 840 days. This was more than enough to ship a product, get it working, and then fix any issues along the way.

AI ex machina

However, AI tools have completely turned the tables: the report now claims that it takes less than two days to exploit a vulnerability, and in less than two years, the time to exploit will be reduced even further, to just one minute.

Checkmarx says this warning will be “particularly relevant” to healthcare, given that hospitals and health systems are already facing escalating ransomware attacks, third-party software risks, and increasing regulatory pressure, particularly in the wake of the Change Healthcare incident.

It appears that Vibe-coded apps (solutions built entirely by talking to an AI, without manual code reviews) will only make the problem worse. Recent research from Wired suggests that many ambiance-coded web applications were going live with “weak or no authentication, exposed data, and basic security flaws.”

The report, released earlier this month, claims researchers found more than 5,000 apps exposing corporate or personal data on the open web. It included medical data, financial information, internal company data, as well as discussions with customers.