Pieter Danhieux, Co-founder and CEO of Secure Code Warrior warns that while AI coding tools promise speed and efficiency, they also introduce new risks.
The use of AI in coding is entering a state of mass adoption, with 94% of technology companies using AI coding assistants and 59% of developers using three or more AI tools at once.
The increased presence of AI tools within the developer community speaks to the need for greater efficiency to meet ever-looming deadline pressures in delivering high-quality products.
It can also be beneficial to have an AI assistant that is immune from human-based shortfalls in code review, such as fatigue and biases.
But we cannot afford to sacrifice safety for speed, as AI tools bring inherent risks of compromise.
It is absolutely critical to ensure those leveraging AI tools can identify flaws within the code itself.
Organisations should prioritise upskilling and verifying developers’ security expertise so they are confident in mitigating potential vulnerabilities in AI-assisted code at the earliest stage possible.
To be clear: AI-assisted reviews are valuable for addressing straightforward security issues, including code ‘smells’ (indicating less readable, maintainable or efficient code), anti-patterns (counterproductive traits) and vulnerabilities that manual reviews frequently do not catch.
But they fall short when confronted with more complex, subjective challenges – such as proper authorisation, nuanced input validation or data sensitivity.
Unaddressed flaws often lead to vulnerable code, sensitive data leakage and elevated organisational risk.
AI tools are not safe for enterprise use unless the code output is reviewed and implemented by a security-proficient human.
In fact, 46% of developers admit that they don’t trust the accuracy of the output from AI tools, up from 31 percent a year ago.
That’s why security departments must work with developer teams on upskilling initiatives to assess and improve team members’ awareness and capabilities to the point at which they can mitigate AI-assisted code vulnerabilities from the very start of the software development lifecycle (SDLC).
This will lead to the cultivation of a ‘security first’ team culture and safer AI use.
A security-proficient developer’s review plays a critical role in a well-defended SDLC, because AI cannot match human oversight of the following risk areas, as summarised by Mend.io, an application security company:
In addition, agentic AI will introduce new or ‘agentic variations’ of existing threats, like memory poisoning, remote code execution (RCE) and code attacks.
It can harm code via logic errors, which cause the product to ‘run’ correctly but act incorrectly; style inconsistencies, which result in patterns that do not align with the current, required structure and lenient permissions, which act correctly but lack the authorisation context to determine if an end user is allowed to perform a particular action.
For developers to effectively identify any inconsistencies, their organisations need to establish AI governance and ensure that developers are equipped to maintain oversight, with the security skills to safely prompt and review AI-assisted code and commits.
Organisations that fail to commit to AI governance and do not invest in the security-focused upskilling of developers risk becoming overwhelmed by these tools.
To ensure their teams are prepared and vigilant in identifying any suspicious deviations from start to finish of the SDLC, they must prioritise the following:
We are all aware that AI tools can do many wonderful things for developers.
But we must take proactive steps to implement well-defended review practices.
Through ongoing efforts to upskill developers and to implement benchmarking and risk scoring, security team leaders ensure that the urgency of production schedules never comes at the expense of producing safe code.
