Artificial intelligence can quickly generate code snippets, but it often ignores the rules of secure development. In 45% of cases, experts found critical vulnerabilities in such responses.
Artificial intelligence can quickly generate code snippets, but it often ignores the rules of secure development. In 45% of cases, experts found critical vulnerabilities in such responses.
Models like OpenAI Codex, GPT-3.5, and GPT-4 generate potentially dangerous code in almost half of cases, DOU reports, citing a Veracode report. The company analyzed more than 1,600 code examples that AI wrote in response to 12 application tasks.
On average, 45% of samples had serious vulnerabilities: SQL injections, XSS attacks, input validation errors, and authorization flaws. The worst results were in Java code, with problems found in 80% of samples. In Python and JavaScript, the level of vulnerabilities was much lower, around 30–40%.
Veracode explains this by saying that the models try to provide syntactically correct answers based on frequency in the training data, rather than security. As a result, the AI offers code that looks logical on the surface, but contains critical holes.
However, if the request explicitly states the requirement to focus on safe practices, the quality of responses increases significantly.
Veracode recommendations for developers
This is an American company specializing in automated code review systems. Its reports are often used in the industry to form secure development policies, especially in the context of the active introduction of AI assistants in programming.
We previously wrote about how, according to research, one in three links generated by language models like GPT-4.1 do not belong to the brand in question. Some of these addresses turn out to be dangerous, opening the way for phishing attacks and the spread of malicious code.
