🇬🇧The Register - AI/ML•Feb 26, 2026Stalecollected in 6m

AI Dev Creates More Vulns Than Fixed

Post LinkedIn

🇬🇧Read original on The Register - AI/ML

#software-security #ai-vulnerabilities #devsecopsveracode

💡AI dev exploding vulns faster than fixes—1.6M apps prove security crisis

⚡ 30-Second TL;DR

What Changed

Analyzed data from 1.6 million applications on Veracode's platform

Why It Matters

AI practitioners face rising security risks in rapid dev cycles, potentially leading to more breaches. Teams must adapt workflows to balance speed and security. Enterprises may see increased compliance costs.

What To Do Next

Download Veracode's full report and audit your CI/CD pipeline for AI-generated code vulnerabilities.

Who should care:Developers & AI Engineers

🧠 Deep Insight

Web-grounded analysis with 9 cited sources.

🔑 Enhanced Key Takeaways

•Security debt has grown to 82% of organizations (up from 74% year-over-year), with 60% carrying 'critical' security debt capable of causing catastrophic damage if exploited[3]
•Open-source and third-party dependencies account for 66% of the most dangerous, longest-lived vulnerabilities, indicating that supply chain security remains a critical weak point despite incremental improvements[1]
•The report analyzed 1.6 million unique applications across enterprises, commercial software suppliers, software outsourcers, and open-source projects using multiple testing methods including static analysis, dynamic analysis, software composition analysis, and manual penetration testing[1][2]
•AI's influence on software creation is directly linked to both increased vulnerability volume and altered vulnerability patterns in codebases, exacerbating the remediation capacity crisis[2]
•Only 11.3% of flaws pose real-world danger based on exploitability metrics, suggesting organizations can reduce actual risk faster by shifting from generic severity scoring to real-world attack potential prioritization[2]

🔮 Future ImplicationsAI analysis grounded in cited sources

DevSecOps automation will become mandatory rather than optional for organizations to maintain security velocity parity with development velocity

Manual security testing is identified as an obsolete bottleneck that developers bypass to meet deadlines, making integrated automated security the only viable path forward[5]

Third-party dependency management will emerge as a primary security battleground as 66% of the most dangerous vulnerabilities originate from open-source components

The outsized risk concentration in third-party libraries indicates that supply chain security practices will become as critical as internal code security[1]

Organizations will face increasing pressure to adopt risk-based prioritization frameworks rather than attempting comprehensive vulnerability remediation

The fundamental mismatch between development velocity and remediation capacity makes universal vulnerability fixing mathematically impossible, forcing strategic triage[1]

⏳ Timeline

2010

Veracode State of Software Security report series begins (1st annual edition)

2025-02

Veracode 2025 State of Software Security report released; security debt at 74% of organizations

2026-02

Veracode 2026 State of Software Security report released (16th annual edition); security debt surges to 82%, critical security debt increases 20% year-over-year, high-risk vulnerabilities spike 36%