A global survey of 2,350 developers, CISOs and application security managers published this week finds that while nearly all respondents (96%) work for organizations that have embedded or connected artificial intelligence (AI) code and tools into some aspect of their application development workflows, nearly half of all code (49%) running in production environments was AI-generated in 2025.
Conducted by the market research firm CensusWide on behalf of Checkmarx, the survey also finds 70% of respondents reporting they are also now discovering more vulnerabilities, with 31% describing that increase as being significant.
On average, developers are spending 49% of their time in a given week on security-related issues, the survey finds. Nearly all said the application security guidance surfaced in integrated development environments (IDEs) is effective, but only 18% continuously scan code as it is being written.
A full 93% also acknowledge their organization has experienced at least one security breach as a direct result of a vulnerable application their organization developed, with three quarters of respondents (75%) admitting they knowingly deploy vulnerable code often or sometimes.
Top reasons cited for shipping vulnerable code was a belief that existing controls would mitigate risks, hopes that the vulnerability would not be discovered (30%) and the need to meet a business, feature, or security-related deadline (27%).
More troubling still, nearly all respondents (95%) said they feel pressure either frequently (47%) or occasionally (48%) to prioritize or delay reporting of a compliance-related security issue.
Jonathan Rende, chief product officer for Checkmarx, said the survey makes it clear that far too many organizations are not rigorously enforcing best DevSecOps practices. With there continuing to be so much emphasis on building new features as quickly as possible, many application development teams are being set up to fail, he added.
In fact, the survey finds only 9% of organizations report fixing more than 90% of vulnerabilities within 90 days. Just over a quarter (28%) said they can remediate fewer than half of the vulnerabilities discovered within that timeframe.
That issue is only going to become all the more pressing as frontier AI models make it simpler to both discover vulnerabilities and create the malware that exploits it, he added. In fact, the survey finds that open source software accounts for on average 59% of the code running in production environments. It is now being discovered, however, that much of that code is rife with vulnerabilities.
Despite the current state of application security, nearly three quarters of respondents (73%) rate the application security posture of their organizations as either being highly mature or advanced. However, nearly half of the respondents with highly mature application security postures experienced three or more breaches in the last 12 months.
There is clearly much work to be done in terms of improving the overall state of DevSecOps within organizations. The issue is that those same organizations in the age of AI are starting to realize that technical security debt that they have been kicking down the proverbial road for years is now coming due a whole lot faster than anyone expected.
