Using AI to code? Watch your security debt
Black Duck research shows faster development may be causing risks for companies
AI is helping to speed up code deployment, but security isn't keeping up.
That's one of the key findings from a report by security firm Black Duck, with 81% of 1,000 security professionals surveyed saying application security testing is now slowing down development and delivery.
The report comes as AI is starting to have an impact on coding and development, with 84% of developers surveyed by Stack Overflow over the summer saying they've used the technology in the last year or plan to imminently, even though trust in the end product remains an issue. Indeed, a survey of security leaders last year found that the vast majority – some 92% of those polled – were concerned that AI-generated code could cause a security incident in their organization.
The Black Duck research found nearly 60% of those polled are deploying code every day – if not more frequently – but security is getting in the way of that AI-accelerated speed.
That's because 46% of those asked still rely on manual processes with security, with 81% of professionals saying that application security slows down the development process – and that can lead to security debt, with security problems left piling up unaddressed.
The report noted that companies have successfully built "high-velocity development pipelines," thanks to AI as well as other coding tools, but automation of security lags behind.
"This automation gap means many businesses are simply unaware of their vulnerabilities, with 61.64% of
organizations testing less than 60% of their own applications," the report noted. "The result is that you're accumulating a massive security debt with every single release."
AI vs workflows
Because of that, developers said that improving development workflow integration is a top priority for 27% of those polled.
"The findings paint a clear picture: the old ways of doing application security aren't working, and speed without integrated security creates risk for companies," said Jason Schmitt, CEO of Black Duck. "To navigate this new world, development teams must shift from a reactive, tool-centric model to a proactive, platform-based strategy that integrates security directly into developer workflows to achieve true scale application security."
The challenges are exacerbated by 71% of respondents saying that security alerts are noise, with too many false positives and duplicate findings from multiple tools eating into any benefits, known as tool sprawl.
Risk vs reward for AI coding
More generally, two-thirds of respondents said AI helps them write more secure code, but 57% agreed it can also introduce new risks.
"This report nails the core dilemma facing modern DevSecOps: the tradeoff between velocity and visibility," said Mayur Upadhyaya, CEO at APIContext. "We're seeing a shift away from adding more tools toward simplifying and integrating the ones teams already have."
Upadhyaya added: "As AI becomes both a productivity multiplier and an attack vector, governance must evolve, but so must observability. If you can't baseline normal behavior and detect deviation in real time, you're playing catch-up. And in AI-native pipelines, catch-up is too late."
Of course, security debt is a problem even without AI. A report by Veracode earlier this year showed remediation times for security flaws had grown by 47% over the last five years, from an average 171 days to fix a vulnerability in 2020 to 252 days in 2025.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Euro-Office ‘sovereignty’ claims questioned in scathing open letter by LibreOffice maintainersNews The developers behind LibreOffice have questioned Euro-Office’s sovereignty credentials and use of a Microsoft-based document format
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
UK wants an AI-powered anti-hacking systemNews GCHQ is building a national cyber defence capability powered by AI – though it may take five years
-
UK and Australia agree to work more closely on AI securityNews A new deal sees Australia set up a new AI safety institute, which will share research with the UK AI Security Institute
-
GitHub internal repositories exfiltrated via malicious VS Code extensionNews The breach has been claimed by the TeamPCP hacking group, which said it is offering the data for sale
-
AI is getting better at security – and it's doing it faster than expectedNews UK AISI warns that AI models are already exceeding existing benchmarks for testing
-
AI and Data are reshaping the MSP landscape, but hackers are getting in on the hot AI actionNews AI is no longer just a buzzword; it's a hacker's dream and the channel's biggest opportunity
-
Is your new hire an AI clone? Microsoft says North Korean hackers are using AI to impersonate job seekers and steal company secretsNews The groups are increasingly using face-changing or voice-changing software to make their fake identities more plausible
