Why 45% of AI-Generated Code Has Security Flaws (And How to Fix It)
|
Yunhao Jiao
Veracode's 2025 GenAI Code Security Report found that 45% of AI-generated code contains security flaws. Nearly half of everything AI writes has a vulnerability.
This statistic isn't from amateur prompting. It includes code from professional developers using enterprise-grade AI coding tools with security-focused prompting strategies. The best-performing model on BaxBench — with security-specific prompting — still produced secure code only about 66% of the time.
The security community has quantified the specific vulnerability patterns. AI code is 2.74x more likely to introduce XSS, 1.91x more likely to create insecure direct object references, and 1.88x more likely to implement improper password handling.
These aren't theoretical risks. Aikido Security's survey found 69% of developers had discovered AI-introduced vulnerabilities in their own systems. One in five reported incidents with material business impact.
Why AI Generates Insecure Code
AI coding tools are trained on public code repositories. Public repositories contain a vast amount of insecure code. The model learns the patterns — including the insecure ones — and reproduces them.
Specific patterns:
Input validation is often omitted because training data frequently omits it
Authorization checks are incomplete because the model doesn't understand your permission model
Secrets are sometimes hardcoded because training data contains hardcoded secrets
Error messages are overly verbose because training data leaks internal details
The Fix: Automated Security Testing on Every PR
You can't prompt your way to secure code. The 66% ceiling even with security-specific prompting proves this. The fix is testing — specifically, automated security testing that runs on every code change.
TestSprite includes security testing in every run: IDOR checks, authentication validation, input sanitization, XSS detection, and authorization boundary testing. Vulnerabilities are caught on the PR before they merge.
The 45% flaw rate becomes manageable when every flaw is caught before production. Automated security testing is the guardrail that makes AI-speed development safe.