COMMENTARY: Coding agents powered by large language models (LLMs) have changed how software gets built. These tools automate programming tasks that used to eat up developer time, from writing basic functions to debugging complex modules.More than half of organizations already use coding agents in production, with another 78% planning to deploy them soon. GitHub Copilot dominates the market, but tools such as Cursor and Windsurf are catching up fast with more autonomous features. We’ve moved way beyond smart autocomplete—these systems can now build, test, and deploy code with barely any human input.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Development teams love the productivity boost. Projects that took weeks now wrap up in days. Junior developers can handle tasks that used to require senior expertise.But here’s the problem nobody wants to talk about:Early research shows AI-generated code is riddled with more security vulnerabilities than code written by humans. The same automation that’s speeding up development might create exploitable weaknesses faster than we’ve ever seen before.As these tools become the norm, we’re facing a question most organizations haven’t seriously considered. What happens when machines start cranking out bad code faster than humans can catch the problems?The studies coming out aren’t pretty. Stanford researchers put developers through their paces with AI coding assistants and got troubling results. In 80% of tasks, developers using AI tools produced less secure code than those coding the old-fashioned way. Here’s the kicker: those same developers were 3.5 times more likely to think their code was actually secure.Backslash Security ran their own tests on the big players—ChatGPT, Claude, and Gemini. Even when researchers explicitly asked for secure code, every single model spit out software vulnerable to at least four of the top ten Common Weakness Enumeration (CWE) categories. When we see consistent problems across different AI systems, we know it isn’t just a few bad examples.The vulnerability patterns are becoming predictable, and they’re nasty. SQL injection flaws keep showing up in database code where AI systems botch input sanitization. Cross-site scripting holes appear in web applications that skip proper input validation. Passwords and API keys get hardcoded straight into source code. Dependencies with known security problems get pulled in without any vetting.Here’s where it gets scary: A single AI agent can pump out hundreds of code snippets daily, each one potentially carrying security holes. Traditional code review processes weren’t built for this volume. Security teams are drowning in the sheer amount of code they need to examine.The sneaky part: how these vulnerabilities hide. Syntax errors break compilation and get caught immediately. Security flaws let code run normally while opening attack paths. Automated testing misses most of these issues, especially the ones that need specific conditions to trigger.Why human review remains essential Despite all the AI hype, human oversight still matters more than vendors want to admit. AI systems are great at pattern matching and code generation, but they’re terrible at understanding context—like how security decisions affect specific business environments.Organizations that cut humans out of code review are seeing more flawed software hit production. Modern applications are complex beasts. Our teams need human judgment to figure out how components interact with existing systems and whether code meets security policies that AI can’t grasp.The companies getting this right use hybrid approaches. They let AI handle the grunt work, but put humans in charge of security decisions. These setups create review checkpoints where human evaluation becomes mandatory, especially for code touching sensitive data or authentication systems. The organization keeps the productivity gains, while ensuring someone with a brain reviews the security-sensitive stuff.Securing development against AI-generated risksOrganizations rolling out coding agents need to rethink their security approach. Based on what we’re seeing from early deployments and research, here’s what actually works:
Set up mandatory review gates: Any code handling authentication, data processing, or external connections needs human eyes on it, period. Don’t care what the AI confidence score says. These checkpoints catch problems before they reach production.Upgrade the company’s scanning tools: Existing static analysis tools weren’t designed for AI-generated vulnerabilities. Teams need scanning systems that specifically look for the dumb mistakes AI makes—hardcoded secrets, broken input validation, sketchy dependencies. Run these scans constantly, not just during builds.Fix all training data: For teams building internal coding agents, its training data better emphasize secure coding practices. Include real examples of proper input validation, secure authentication, and decent error handling. Garbage in, garbage out applies here more than anywhere.Layer the company’s defenses: One security control won’t cut it. Deploy dynamic application security testing, web application firewalls, and monitoring systems that can catch exploitation attempts even when vulnerable code slips through. Assume some bad code will make it to production and make sure that applications are continuously evaluated for dangerous security gaps.Rewrite policies to reflect AI’s presence: The company’s existing development security policies probably don’t mention AI at all. Fix that right away. Create clear rules for AI tool usage, review processes, and incident response for AI-introduced vulnerabilities. Cover both the technical controls and the human processes.
AI coding tools promise real value for development speed and innovation. But if organizations ignore the security side, they set themselves up for systematic vulnerabilities that make traditional software security problems look manageable. Get the frameworks and human oversight right, and the organization can capture the benefits without negatively impacting its codebase.Graham Rance, vice president, global pre-sales, CyCognitoSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
