AI-generated code outperforms all existing manual remediation models’: Almost all companies admit to sending code they know is vulnerable

Checkmarx research found that 75% of organizations knowingly send vulnerable code
The time period for exploitation is expected to shrink to just one minute, increasing pressing risks for some sectors
Vibe-coded apps built entirely via AI chat exacerbate exposure

Artificial intelligence (AI) has made it prohibitive for organizations to ship code they already know is vulnerable, but they appear to be doing it anyway, new research has claimed.

Security experts Checkmarx found that shipping vulnerable code became “standard operating behavior,” with 75% of organizations admitting they often or sometimes deploy code they already know is vulnerable.

The announcement suggests that companies were taking little calculated risks: less than a decade ago (in 2018), the average time to exploit a software vulnerability was 840 days. That was more than enough time to ship a product, get it running and then fix kinks along the way.

AI from machine

However, AI tools have completely flipped the script – with the report claiming today that it takes less than two days to exploit a vulnerability, and that in less than two years the time-to-exploitation window will shrink even further to just one minute.

Checkmarx says this warning will be “particularly relevant” to healthcare given that hospitals and healthcare systems are already facing escalating ransomware attacks, third-party software risk and growing regulatory pressure, particularly in the wake of the Change Healthcare incident.

Vibe-coded apps (solutions built solely by chatting with an AI, without manually reviewing the code) will only exacerbate the problem, it seems. Recent Wired research suggested that plenty of vibe-coded web apps were pushed live with “weak or non-existent authentication, exposed data and basic security flaws.”

The report, released earlier this month, claims researchers found more than 5,000 apps that exposed corporate or personal data on the open web. It included medical data, financial information, internal company data as well as customer chats.