Rapid AI-driven development makes security unattainable, warns Veracode

Steven

Rapid AI-driven development makes security unattainable, warns Veracode

Summary

Veracode’s 2026 State of Software Security report, based on analysis of 1.6 million applications, warns that rapid, AI‑driven development is widening the remediation gap: more vulnerabilities are being created than fixed. The report finds that security debt (known vulnerabilities older than one year) now affects 82% of organisations, up from 74% the previous year, and that high‑risk vulnerabilities have risen from 8.3% to 11.3%.

There are a few bright spots: apps with open‑source vulnerabilities fell from 70% to 62% and overall flaw prevalence dipped slightly (80% to 78%). Veracode notes that increased scanning may expose more issues (and possibly more false positives), but also highlights that faster release cadences and growing technical complexity — including AI‑generated code — make remediation harder and increase risk. The report stresses that while AI can help find and even fix flaws, it also introduces new attack and reliability vectors such as prompt injection and malicious automation.

Key Points

  • Veracode analysed data from 1.6 million applications to produce the 2026 report.
  • Security debt now affects 82% of organisations (up from 74%); high‑risk flaws rose to 11.3%.
  • Faster release velocity means new code is added quicker than vulnerabilities are fixed, widening the remediation gap.
  • AI‑generated code and greater technical complexity make identifying and fixing issues more difficult.
  • Increased use of testing tools is finding more problems — some of which may be false positives — which complicates triage.
  • AI can aid detection and automated remediation but also creates new risks (prompt injection, adversarial tooling).

Context and relevance

This report is important for software teams, security professionals and engineering leaders. It ties into broader industry trends: the push for faster, AI‑assisted delivery; heavier reliance on automated scanning; and adversaries using AI to scale attacks. The combination is driving a growing backlog of unresolved vulnerabilities and higher operational risk, signalling that incremental fixes to current processes are unlikely to be sufficient.

Why should I read this?

Because if your team is slinging out features faster than you can patch them, this is the paper that explains why that’s going to bite you. It’s a short, sharp reminder that dumping AI into dev workflows isn’t a magic fix — unless you rethink how you find, prioritise and fix bugs, you’ll end up with more mess, not less.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/02/26/veracode_security_ai/