AI Coding Assistants' Impact on Software Security and Quality
OpenAI's GPT-5 and GPT-5-mini models have demonstrated significant improvements in generating secure code compared to previous iterations, according to Veracode's GenAI Code Security Report. These reasoning models achieved security pass rates of 70% and 72% on a benchmark covering common vulnerabilities such as SQL injection, weak encryption, cross-site scripting, and log injection across multiple programming languages. Despite these gains, the report notes that even the best-performing models still make insecure coding choices about 30% of the time, and non-reasoning models like GPT-5-chat lag behind, highlighting the importance of reasoning steps in AI-generated code security.
While AI coding assistants can potentially enhance software security and quality, current deployment practices often result in the rapid introduction of new vulnerabilities and quality issues. Industry experts warn that the increased speed of code generation enabled by AI is exacerbating an ongoing decline in software quality, making it harder for organizations to manage and remediate bugs. The combination of faster development cycles and insufficient oversight may lead to a net-negative impact on business security and software reliability, underscoring the need for improved development models and rigorous code review processes when leveraging AI tools.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SC Media reports GPT-5 security benchmark results
SC Media reported on Veracode's findings that GPT-5 reasoning models generated more secure code than prior models, while emphasizing that even the best models still made insecure choices about 30% of the time and require human review and layered security controls.
ReversingLabs publishes analysis on AI-driven software quality decline
ReversingLabs published a blog post arguing that AI is accelerating a broader collapse in software quality. No additional event details were provided in the reference content.
Veracode's October 2025 report finds GPT-5 models lead secure coding benchmark
Veracode's October 2025 GenAI Code Security Report found that OpenAI's GPT-5 and GPT-5-mini reasoning models achieved secure coding rates of 70% and 72%, the highest results among models tested. The report also noted weaker or more moderate performance from non-reasoning models and competing models from vendors including Anthropic and xAI.
Veracode begins benchmarking LLM secure coding performance
Since July 2025, Veracode tested large language models on their ability to avoid introducing SQL injection, weak encryption, cross-site scripting, and log injection flaws across Java, Python, C#, and JavaScript.
Formal study finds widespread vulnerabilities in AI-generated code
A study titled "Broken by Default" evaluated 3,500 code artifacts from seven widely used LLMs across 500 security-critical prompts and found 55.8% contained at least one vulnerability. Researchers used the COBALT pipeline and Z3 SMT solver to formally prove 1,055 findings, concluding that even the best-performing model still produced insecure code at high rates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
OpenAI’s GPT-5 generates more secure code than past models, report finds
scworld.com
Open sourceSoftware quality's collapse: How AI is accelerating decline
reversinglabs.com
Open sourceBroken by Default: A Formal Verification Study of Security Vulnerabilities in AI-Generated Code - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Security Risks and Challenges of AI-Generated Code for Developers
The widespread adoption of generative AI (GenAI) tools in software development has significantly increased productivity, enabling developers to document, write, and optimize code at unprecedented speeds. According to a 2023 McKinsey study, organizations have rapidly integrated AI into their development workflows, with 83% using AI for code creation and 57% relying on AI-powered coding tools as a standard practice. However, this surge in AI-assisted coding has introduced new security risks, as traditional security models focused on perimeter or infrastructure controls do not adequately protect the data and code generated by these tools. Studies have revealed that nearly half of code snippets produced by popular AI models contain vulnerabilities, underscoring the prevalence of insecure code generation. High-profile incidents, such as Samsung's 2023 ban on ChatGPT following a sensitive code leak, highlight the real-world consequences of insufficient safeguards when using GenAI in development environments. The responsibility for securing data and code remains with developers, even as cloud providers secure the underlying infrastructure. The rapid pace of AI-generated code has outstripped the ability of traditional secure coding training to keep up, shifting the focus from training human programmers to ensuring that AI systems themselves are capable of secure coding. Industry experts note that AI is currently less effective at producing secure code than human programmers, with multiple studies and reports from sources like Schneier on Security, Veracode, and SC Media confirming this trend. The volume of vulnerabilities continues to rise, with over 47,000 publicly known vulnerabilities expected in a single year and at least 130 new vulnerabilities reported daily. This ongoing wave of vulnerabilities leads to constant exploitation and patching, further emphasizing the need for secure coding practices at the AI level. While AI has delivered substantial productivity gains—developers report 30% to 40% increases—these benefits are undermined by the security shortcomings of AI-generated code. The industry is now at a crossroads, where the imperative is to teach AI systems to code securely, rather than relying solely on human oversight or post-development security reviews. Integrating security into the AI coding process and providing developers with tools that embed data protection are seen as essential steps to address these emerging challenges. The shift towards AI-driven development necessitates a reevaluation of security strategies, focusing on proactive measures that align with the realities of modern software engineering. Without such changes, organizations risk exposing themselves to significant security threats stemming from the very tools designed to enhance their productivity.
Jun 29, 2026
OpenAI GPT-5.2-Codex Release and AI-Driven Vulnerability Detection
OpenAI has released GPT-5.2-Codex, a new AI model designed to enhance agentic coding and cybersecurity tasks, with notable improvements in vulnerability detection and software engineering workflows. The model demonstrates superior performance on benchmarks such as SWE-Bench Pro and Terminal-Bench 2.0, and excels in professional Capture-the-Flag challenges, supporting advanced tasks like fuzzing, attack surface analysis, and test environment setup. OpenAI has implemented stronger safeguards to mitigate dual-use risks and is offering the model to paid ChatGPT Codex users, with an invite-only pilot for vetted cybersecurity professionals focused on defensive applications. The model's capabilities have already contributed to the discovery of several critical vulnerabilities in React Server Components, including CVE-2025-55182 (RCE), CVE-2025-55183 (source code exposure), and CVE-2025-67779 (DoS), prompting urgent patching recommendations. Industry research highlights both the promise and risks of AI-generated code, with studies showing that machine-written pull requests contain significantly more bugs and security vulnerabilities than those authored solely by humans. Issues such as improper password handling, insecure object references, and cross-site scripting are notably more prevalent in AI-generated code, raising concerns about the security implications of rapid AI-driven development. These findings underscore the importance of robust review processes and the need for continued vigilance as AI tools become more deeply integrated into software engineering and cybersecurity operations.
Jun 29, 2026
AI Coding Tools Boost Output While Increasing Review, Security, and Burnout Risks
Enterprises are accelerating adoption of AI coding assistants and agents, with vendors and engineering leaders reorganizing around tools such as GitHub Copilot, Codex, Claude Code, and formal-verification agents to increase software output and support smaller teams. OpenAI has reportedly shifted strategy toward coding and enterprise customers, while companies such as Cursor are deploying always-on security agents that scan pull requests, patch dependencies, and block risky changes before release. Research and industry reporting also show AI is changing how developers work: Copilot users spend more time coding and less time on collaboration and project-management tasks, and engineering teams increasingly treat AI as a force multiplier rather than a replacement for human developers. At the same time, multiple studies and incident reports say the gains are being offset by a growing **review and supervision tax**. Reports from Harness, DORA, Sonar, and other researchers found that heavier AI use often correlates with more code review effort, higher defect and deployment risk, longer remediation and recovery times, and rising burnout among senior engineers who must validate AI-generated changes. Security researchers at RSAC 2026 said AI assistants reproduce common flaws such as `SSRF`, `XSS`, path traversal, command injection, and open redirects at scale, while reporting tied AI-assisted changes to outages and operational failures, including an AWS disruption. Across the coverage, experts urged organizations to keep humans in the loop, apply stricter governance and testing for AI-generated code, and measure validation workload, defect escape, and technical debt rather than code volume alone.
Jun 29, 2026