Since OpenAI’s ChatGPT burst onto the tech scene in late 2022, artificial intelligence (AI) tools have rapidly become embedded in the workflows of software developers.

Praised for their speed, efficiency, and ability to assist with complex tasks, AI coding assistants are now a mainstay in development environments globally.

By mid-2023, a GitHub survey revealed that more 90% of developers were already using AI tools either professionally or recreationally. Since then, the ecosystem has grown to include contenders such as Google Gemini, Cursor AI, GitHub Copilot, and China’s DeepSeek.

It’s not difficult to see why adoption has been so swift. These tools can automate documentation, answer technical queries, improve code quality, and even write entire applications from scratch.

One emerging trend, dubbed “vibe coding,” allows even users with only minimal programming knowledge to generate functioning applications using plain-language prompts.

However, while these tools accelerate development and improve accessibility, they also introduce critical concerns, particularly around code security.

Security Playing Catch-up

Despite their popularity, AI coding assistants are underperforming where it matters most: generating secure code. A wave of new research is highlighting troubling gaps between code that is functionally correct and code that is secure.

BaxBench^[1], a coding benchmark created specifically to evaluate the security of AI-generated code, tested 21 leading LLMs across 392 security-critical backend coding tasks. The results were stark: 62% of generated solutions were either incorrect or insecure. Even among those deemed “correct,” about half were still found to contain vulnerabilities.

OpenAI’s GPT-4.0o, for instance, produced correct outputs 45.6% of the time but only achieved a 29.6% score when both correctness and security were considered. DeepSeek R1 had a 51.5% correctness score, but its secure coding rate was a much lower 32.1%.

The message is clear: today’s leading AI tools struggle to reliably produce code that is both functional and secure.

Flawed Training Data Means Flawed Code

One of the core issues lies in the training data. AI coding assistants are built on vast repositories of open-source code, much of which is poorly written or riddled with insecure coding patterns. As a result, LLMs are liable to reproduce existing weaknesses in their outputs, creating a feedback loop in which insecure code begets more insecure code.

A recent study^[2] by researchers across China, Australia, and New Zealand, which assessed 452 code snippets generated by GitHub Copilot, found that nearly 30% of them had security vulnerabilities linked to 38 different Common Weakness Enumeration (CWE) categories. Alarmingly, several of these were among MITRE’s 2023 CWE Top-25 most dangerous software weaknesses^[3].

The implications are significant. Vulnerabilities that slip into production code, whether from LLM-generated suggestions or elsewhere, pose escalating risks to corporate systems, national infrastructure, and consumer privacy.

Developer Trust Is Shifting

The hype around AI tools remains strong; however, developer sentiment is evolving. Stack Overflow’s 2024 survey of more than 65,000 developers found that 76% either used or planned to use AI coding assistants, up from 70% in 2023.

However, overall trust has dipped. While 77% of respondents in 2023 held a favourable view of AI coding tools, that number dropped to 72% a year later. Only 42% said they trust the output of these tools outright, and nearly a third (31%) said they do not.

Even more revealing, a separate survey from Snyk^[4] found that 76% of developers believed AI-generated code was more secure than human-written code. However more than half also admitted that AI tools introduced errors either “sometimes” or “frequently”.

Most troubling of all, 80% of developers surveyed said they do not apply any formal security policies when incorporating AI-generated code.

A Business Imperative

As cyber threats become more sophisticated and more frequent, security must be seen not merely as a technical concern, but a strategic and operational priority. With software now a primary target in global cyberattacks, securing code at the source has never been more important.

This requires a cultural and structural shift, as the days when development and cybersecurity teams could work in isolation are over. Enterprises must build integrated teams and embed security knowledge across every stage of the software development lifecycle (SDLC).

AI tools can be part of the solution, but only if their use is governed by informed, security-conscious developers. For this reason, organisations are being urged to invest in continuous education.

A robust learning platform can help upskill developers to identify security risks and understand how to prompt AI tools safely and effectively. Developers must learn not only how to write secure code themselves, but how to vet AI-generated suggestions with precision code review, mitigating potential flaws before deployment.

Caution Required

The potential benefits of AI coding assistants are undeniable: greater speed, higher productivity, and broader accessibility. However, the industry cannot afford to trade security for convenience.

As the pressure mounts to ship faster and innovate more aggressively, development teams must remember that code security is no longer optional but a business-critical necessity.

[1] https://baxbench.com/
[2] https://arxiv.org/abs/2310.02059v2
[3] https://cwe.mitre.org/top25/archive/2023/2023_top25_list.html
[4] https://snyk.io/reports/ai-code-security/