AI-generated code is outpacing every manual remediation model in existence': Nearly all firms admit they have shipped code they know is vulnerable

Security experts Checkmarx found shipping vulnerable code became “standard operating behavior”, with 75% of organizations admitting they often or sometimes deploy code they already know is vulnerable.

It is hinted in the announcement that companies were making somewhat calculated risks: less than a decade ago (in 2018), the average time to exploit a software vulnerability was 840 days. That was more than enough time to ship a product, get it running, and then sort out the kinks along the way.

AI ex machina

However, AI tools have completely flipped the script - with the report arguing today, it takes less than two days to exploit a vulnerability, and that in less than two years, the time-to-exploit window will shrink even further, down to just one minute.

Checkmarx says this warning will be “particularly relevant” for healthcare, given the fact that hospitals and health systems are already facing escalating ransomware attacks, third-party software risk, and growing regulatory pressure, especially in the aftermath of the Change Healthcare incident.

Vibe-coded apps (solutions built entirely by chatting with an AI, without manual review of the code) will only compound the problem, it seems. Recent Wired research suggested that plenty of vibe-coded web apps were being pushed live with “weak or nonexistent auth, exposed data, and basic security flaws.”

The report, which was released earlier this month, claims that the researchers found more than 5,000 apps that were exposing corporate or personal data on the open web. It included medical data, financial information, internal corporate data, as well as customer chats.