Sep 5, 2025

Artificial intelligence coding assistants may easily seem like a djinn ready to make code appear out of thin air. Google and Microsoft report that a third of their new code is now AI-generated, and multiple companies are on record as strongly encouraging or mandating that their developers use AI tools. Many developers tap coding assistants as GitHub Copilot, a large language model trained on GitHub code repositories, or Cursor AI, an AI-assisted, integrated a code development environment built on Visual Studio. Another growing area involves AI command-line interactions tools such as Anthropic's Claude Code and OpenAI's Codex CLI. These "tend to be agentic - meaning they can execute commands, edit multiple files, use version control - essentially acting like a junior dev who knows how to use the terminal," said London-based software developer expert Roberto Infante, author of "AI Agents and Applications," in a May blog post. The business driver for using such tools is easy to articulate: speed. Earlier this year, many organizations were reporting a 50% increase in developer productivity thanks to such tools. A new study by Apiiro suggests recent gains are even bigger, finding that AI code assistants help developers ship code four times as quickly. That's based on its review of code bases being used by several thousand developers, comprising tens of thousands of code repositories, at some of the largest publicly traded companies in the world. But this speed comes at a cost. More code means more vulnerabilities that need to be eradicated, preferably before the code leaves the testing environment and goes into production. The reason for the increase in vulnerabilities is that code assistant LLMs are trained to emulate what real-world developers do. As a result, they produce code containing roughly the same quantity of vulnerabilities as classically built code, said said Chris Wysopal, co-founder and chief security evangelist at Veracode, in an interview at RSAC Conference 2025 in May. Noting the irony, he said that "for me, the only solution is to use more AI" by training another tool to spot bad code, thus essentially using one AI-enabled tool to fix another (see: Unpacking the Effect of AI on Secure Code Development New research suggests that besides creating an equal number of vulnerabilities as developers, AI code assistants can also introduce bigger problems. Larger Pull Requests One challenge comes in the form of how AI coding assistants tend to package their code. Rather than delivering bite-size pieces, they generally deliver larger code pull requests for porting into the main project repository. Apiiro saw AI code assistants deliver three to four times as many code commits - meaning, changes to a code repository - than non-AI code assistants, but packaging fewer pull requests. The problem is that larger PRs are inherently riskier and more time-consuming to verify. "Bigger, multi-touch PRs slow review, dilute reviewer attention and raise the odds that a subtle break slips through," said Itay Nussbaum, a product manager at Apiiro. "In one case, a single AI-driven PR changed an authorization header across multiple services. One downstream service wasn't updated. Result: a silent auth failure that could expose internal endpoints." Small Flaws Down, Big Problems Up One upside from using AI code assistants, beyond productivity, is that they appear well-versed in eliminating easy-to-spot flaws. "Our analysis shows trivial syntax errors in AI-written code dropped by 76%, and logic bugs fell by more than 60%," compared to non-AI code development, Nussbaum said. At the same time, the tools generated deeper problems, in the form of a 150% increase in architectural flaws and an 300% increase in privilege issues. "These are the kinds of issues scanners miss and reviewers struggle to spot - broken auth flows, insecure designs, systemic weaknesses," Nussbaum said. "In other words, AI is fixing the typos but creating the timebombs." The tools also have a greater tendency to leak cloud credentials. "Our analysis found that AI-assisted developers exposed Azure service principals and storage access keys nearly twice as often as their non-AI peers," Nussbaum said. "Unlike a bug that can be caught in testing, a leaked key is live access: an immediate path into production cloud infrastructure." Like Wysopal, Nussbaum said the mandate for organizations that use AI coding assistants should be clear: "If you're mandating AI coding, you must mandate AI AppSec in parallel. Otherwise, you're scaling risk at the same pace you're scaling productivity." in other words, be careful what you wish for. Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.