When a False Sense of Security Meets Breakneck Developer Velocity 

In an industry long accustomed to rapid change, 2025 may be remembered as the year the ground truly shifted.  

According to The Future of Application Security Report, a global research study conducted by Censuswide on behalf of Checkmarx and published today, application development has entered a new phase—one in which AI now writes much, if not most, of the code. Yet security practices remain anchored in outdated assumptions, allowing unchecked AI-generated code to reach production at an unprecedented pace. 

Download the report.

A Moment of Reckoning: What the Data Tells Us 

The report, based on insights from more than 1,500 security leaders, AppSec managers, and developers across nine countries, reveals a landscape defined not by lack of awareness, but by mounting structural and cultural lag: 

• AI-generated code is becoming standard practice. 
  One in three respondents say over 60% of their organization’s code is now written by AI. Yet only 18% have formal policies or governance in place to manage this shift. 

• Vulnerabilities are knowingly shipped. 
  A full 81% of respondents report their organizations deploy code with known security flaws: Sometimes by necessity, often by design. 

• Security tooling remains underutilized. 
  Less than half of organizations are actively using foundational tools such as DAST, IaC scanning, or container security. 

• Breach frequency continues to climb. 
  98% of organizations experienced at least one breach related to vulnerable in-house code in the past 12 months, a concerning continuation of an upward trend. 

An Industry Caught Between Two Ages 

This is not a call to panic, but rather a call to pause and reflect. For decades, the security community has advocated for secure-by-design principles, tighter developer collaboration, and earlier intervention in the SDLC.  

Yet the accelerating adoption of AI, coupled with relentless business pressure, has exposed fault lines in even the most well-intentioned security programs. 

The Checkmarx report finds that many organizations now treat security debt as a tolerable cost of business, relying on patch-later practices that assume, implicitly or otherwise, that exploitable vulnerabilities won’t be discovered or acted upon in the interim. 

Meanwhile, developers – many of whom are now responsible for remediation – are navigating new complexities, including shadow AI usage, insufficient guardrails, and growing expectations without sufficient guidance, education or support. 

Rebalancing the Equation: Where We Go From Here 

The Future of Application Security Report does not simply chronicle a shift; it offers a framework for addressing it. Among its key recommendations: 

• Govern AI proactively. Establish clear usage policies, approved toolsets, and code provenance controls before usage becomes unmanageable. 

• Operationalize your tooling. Ensure AppSec tools are not only purchased but embedded directly in developer environments, pipelines, and workflows. 

• Move from awareness to action. Translate high-level security posture into specific, enforceable controls and developer-level feedback. 

• Adopt code-to-cloud strategies. Visibility and protection must extend from first commit to live deployment and beyond. 

• Support developers with clarity. Invest in real-time remediation support, incentivized secure coding, and aligned metrics that recognize both speed and safety. 

• Adopt agentic AI in AppSec. 
  As AI-generated code scales beyond human oversight, organizations must begin adopting agentic AI: autonomous security agents capable of analyzing, enforcing, and remediating risk in real time. The only viable response to AI-scale development may be AI-powered defense. 

The Path Forward 

The picture painted in this report is neither pessimistic, nor complacent. Rather, it is a candid assessment of an industry in transition.  
 
AI is not merely influencing the development process. It is redefining it. And while the pace of change is formidable, the principles that underpin sound security – visibility, accountability, shared responsibility – remain more relevant than ever. 

If there’s a central takeaway from this year’s findings, it’s this: turning a blind eye to insecure practices is no longer a viable strategy.  

In an industry where 81% of organizations knowingly ship vulnerable code, AI now writes the majority of application code, and 98% report breaches, the trajectory is unsustainable. 

 Without a deliberate course-correction in governance, cultural change, and the operationalization of modern AppSec practices, development velocity will continue to outpace security’s ability to protect it. The collision point is not theoretical. It’s imminent. 

But so can be the prospect of a new equilibrium: one where security is embedded, AI is governed, and development teams are empowered to deliver safely at speed. The opportunity is clear. What remains is execution. 

For a comprehensive view of the findings and their implications, download the full report.