Artificial intelligence-generated code has become a daily fixture for developers across the technological spectrum. These digital tools have made writing lengthy code much easier. However, experts say this trade-off comes with new security risks and a continued need for human oversight.
Developers say artificial intelligence (AI) slashes a lot of the grunt work in writing code, but seasoned developers are spotting flaws at an alarming rate.
The report noted 45 percent of code samples failed security tests and introduced vulnerabilities outlined by the cybersecurity nonprofit, the Open Worldwide Application Security Project.
Veracode researchers called the study’s findings a “wake-up call for developers, security leaders, and anyone relying on AI to move faster.”
Some experts say the high number of security flaws isn’t shocking given AI’s current limitations with coding.
“I’m surprised the percentage isn’t higher. AI-generated code, even when it works, tends to have a lot of logical flaws that simply reflect a lack of context and thoughtfulness,” Kirk Sigmon, programmer and partner at intellectual property law firm Banner Witcoff, told The Epoch Times.
Cybersecurity researcher and former mission operator for the Iris Lunar Rover, Harshvardhan Chunawala, compared AI code writing to home building. He said it’s like having AI draft a quick blueprint for a house, but the blueprint might include doors that don’t lock, windows that don’t fit, or wiring that’s unsafe.
And with AI’s advance into critical digital infrastructure, he said the system isn’t just making “blueprints” anymore, but ordering materials and beginning construction before a foundation inspection has taken place.
“A human architect still has to check every detail before the ‘house’ is safe to live in,” Chunawala said.
Sigmon has extensive coding experience with AI and its subset, machine learning. He used a recent example to highlight the limitations of AI-generated code.
“I was helping a friend program a space-themed website one night, and I tried to see if an LLM could give me some quick and easy code for CSS3-friendly panoramic stars for the website background,” he said.
Sigmon noted the results were underwhelming and demonstrated AI’s current limitations.
“The model’s output did indeed comprise code that tried to generate stars, but it lumped all of them in the upper-right corner of the browser and, instead of making them twinkle nicely, made them strobe like some sort of impromptu rave,” he said.
“It knew to draw stars in a background and knew they should twinkle, but had no bigger-picture context on why I’d want that, much less how it could look aesthetically pleasing.”
Sigmon said AI-generated code is also creating lazy habits that will have an impact on the industry’s future.
Hallucinating Code
Sigmon said he learned to code the way many old-school programmers did: through trial and error.“The ready availability of lazy, AI-generated code means that new graduates are entering the workforce and also generating bad [or] unreliable code, which means that lots of programs are simply becoming worse,” he said.
Consequently, many modern codebases are largely incomprehensible or not very useful anymore, according to Sigmon.
“I used to be able to pick up any other coder’s work and roughly understand their intent … Nowadays, lots of it just gives me a crippling headache,” he said.
A fellow coder and former web content manager who asked only to be referred to by his first name, James, agreed with Sigmon.
“You need to be really careful with your edits. You just can’t trust AI code,” James told The Epoch Times. He said coders need to be careful because the more complex a project gets, the worse AI’s “hallucinations” will be.
“You can get pretty far down the line [in code] before realizing there’s a mistake and AI was just hallucinating,” he said.
Throwing another wrench into the equation, James said AI sometimes doubles down on its mistakes, or even defends them.
“This happened while I was developing a role-playing combat app. What I wanted was just to grab the name from the first file, and it [AI] kept losing that, and it kept trying to take other data from the same file,” James said.
Changing the Vibe
Chunawala said AI has been a game-changer for code writing.“The single biggest change for us computer scientists has been speed. Where developers once spent hours setting up the skeleton of a program or writing repetitive test cases, AI can now draft those in minutes,” Chunawala told The Epoch Times.
However, he said this newfound speed comes with a significant challenge: trust.
“AI often generates code that looks flawless at first glance, yet when you examine it closely, you discover gaps in logic, outdated methods, or subtle flaws that can compromise security,” Chunawala said.
Cybersecurity expert, Nick Nikiforakis, told The Epoch Times that AI is good at writing “boilerplate” code.
“It is not difficult to write; it is repetitive, and yet it is something that is required. AI excels in producing that kind of code, which can be used with minimal modifications, assuming the prompt included all the right specifications,” Nikiforakis said.
He believes the verdict is still out on whether the average developer can create code with fewer bugs than its AI-generated counterpart. That said, Nikiforakis thinks “vibe coding” could create a dangerous scenario.
Vibe coding has become synonymous with the idea that a human developer can just trust AI to get it right while staying focused on the bigger picture.
Nikiforakis says that’s problematic.
“If you have people who don’t write software for a living, and never dreamed of trying before AI, then their only gauge on whether a piece of software is good is its functionality,” he said.
“Unfortunately, this is a case of ‘you don’t know what you don’t know,’ and therefore these users would not be able to recognize a vulnerability that finds its way into their production software.”
Nikiforakis said if vibe-coded software becomes popular, it'll be a “recipe for disaster.”
Chunawala said AI code should be taken seriously from a security standpoint.
“Research has shown that roughly 40 to 45 percent of AI-generated applications contain vulnerabilities. In other words, almost half of the software created with AI could give attackers an opening,” he said.
Chunawala emphasized that these security vulnerabilities are not abstract. He called them “very real risks” and gave examples such as failing to sanitize user input, which can allow malicious commands to sneak in.
Another security risk with AI-generated code is the reliance on outdated “libraries” that hackers already know how to exploit.
“This happens because AI is trained on vast amounts of public code, and much of that public code already contains mistakes,” Chunawala said.
“The model doesn’t distinguish between best practice and bad practice; it reproduces both. Without thorough human review and guardrails, these weak spots go straight into production systems,” he added.
But therein lies another problem: Human coders and software developers are losing jobs to AI at an accelerating pace.
James is part of the tech workforce that has been struggling to find steady work since he was laid off with the rest of his department in February. When he looked for jobs four years ago, James said employers were practically “throwing money” at him.
Now, he said, the job market is flooded with talented developers looking for work.
“Part of it is the efficiency of AI. We can do what we did before, but we can do it much faster. You don’t need extra people. Maybe you used to need two or three developers, but now you only need one,“ James said, emphasizing that competition for jobs in his field is ”through the roof.”
“In an ideal world, you would need a team to review anything AI builds. But these decisions aren’t typically made by the people who understand the technology,” he said.
