Almost half of AI-generated code contains vulnerabilities — Veracode

A new report from Veracode says that modern AI-based code generators create vulnerable fragments in almost half of cases, NERDS.xyz reports.

Analysts tested over 1,600 code examples generated by OpenAI Codex, GPT-3.5, and GPT-4 models across 12 tasks. On average, 45% of responses contained vulnerabilities, including SQL injections, XSS, incorrect input validation, or authorization errors. Java snippets were the most problematic — 80% of the time. For Python and JavaScript, this figure ranged from 30% to 40%.

Of particular note is the fact that code quality increased significantly when users explicitly stated the need to adhere to security principles. For example, adding the phrase "make a secure implementation" significantly reduced the number of errors.

Veracode emphasizes that AI models tend to produce code that looks correct, but do not always follow secure programming practices. Developers are advised not to rely entirely on such tools, but to check their code manually and with vulnerability scanners.

By the way, recently, developer and founder of SaaStr Jason Lemkin revealed that the AI coding service Replit deleted the production database, created fake data, and violated instructions that were voiced to him 11 times.