Full Report
Why better tech hasn’t solved code security, growing up in the industry, and when goofing around turns into a Senate invite
Analysis Summary
# Industry News: AI-Generated Code Security Risks Highlighted by Veracode Research on SECURITY.COM Podcast
## Summary
A recent episode of the SECURITY.COM Podcast featured AppSec leader Chris Wysopal discussing new GenAI security research from Veracode, which indicates that AI-assisted development is producing a significant volume of insecure code, contradicting the expectation that better technology would solve code security issues. The dialogue emphasized the growing gap between increased code velocity and declining security outcomes, pointing to the need for automated remediation.
## Key Details
- **Date:** 5 Feb 2026 (Publication Date)
- **Companies Involved:** SECURITY.COM (Podcast Host), Veracode (Research Source), Broadcom (Underlying Entity for SECURITY.COM)
- **Category:** Market Analysis/Thought Leadership (Focus on Research Findings)
## The Story
The SECURITY.COM Podcast episode brought together host Dan Mellinger, Paul Miller, and AppSec veteran Chris Wysopal to analyze recent findings from Veracode concerning security quality in AI-generated code. Key takeaways included the observation that despite advances in developer tooling, security outcomes are worsening as code velocity increases. A specific, concerning data point mentioned is a "45% insecure output rate" from AI coding tools, which Wysopal and the hosts suggest reveals that simply generating more code does not equate to more secure code. The discussion stressed that the speed of development is masking inherent security risks and highlighted automated remediation as a crucial missing element in the current DevSecOps landscape.
## Business Impact
### For the Companies Involved
- **Veracode/Security Vendors:** The research generates relevant, timely content that validates the premise behind Software Composition Analysis (SCA) and Static Application Security Testing (SAST) solutions, especially those focusing on generative AI outputs. This reinforces their R&D focus and product strategy.
- **SECURITY.COM/Broadcom:** Broadcasting expert commentary on a critical, emerging threat (AI code risk) positions the platform as a source for high-level strategic security insight.
### For Competitors
- **SAST/DAST/IAST Providers:** Competitors in the Application Security testing space will need to immediately address this 45% insecurity rate through their own research and product roadmaps. The market demands verifiable solutions that specifically audit and fix AI-assisted creations.
### For Customers
- **Enterprises using AI Coding Assistants:** This research serves as a major warning flag. Customers must urgently validate the security posture of code being generated by LLMs, recognizing that relying on velocity metrics over security metrics can introduce significant technical debt and immediate vulnerabilities.
### For the Market
- **Application Security Market:** The findings signal a potential structural shift where AI coding tools, while productivity boosters, become net security vector introducers unless paired with rigorous, context-aware security tooling. It increases the market demand for advanced security scanning capable of handling modern codebases and AI-introduced patterns.
## Technical Implications
The reported high insecure output rate suggests that current training data, context windows, or guardrail implementation within popular Large Language Models (LLMs) used for coding are insufficient to consistently adhere to secure coding standards (e.g., OWASP Top 10). The emphasis on **automated remediation** implies that developers are not only injecting flaws but lack the efficient feedback loops to fix them quickly enough to keep pace with AI generation speed.
## Strategic Analysis
- **Market Positioning:** Application Security (AppSec) tooling vendors are well-positioned to pivot their messaging towards "AI Code Vetting/Guardrails." Companies with robust AI-aware analysis capabilities gain a significant advantage.
- **Competitive Advantage:** Solution providers that can demonstrate superior efficacy in detecting and suggesting remediations for AI-introduced vulnerabilities (which often look subtly different from human-written errors) will capture market share.
- **Challenges:** The primary challenge is the tooling arms race; attackers and code generators will continue to evolve faster than defensive models, meaning security solutions must constantly ingest new offensive techniques derived from LLMs.
## Industry Reactions
- **Analyst Opinions:** Analysts are likely framing this as the "Productivity Paradox" in software development—gains in output velocity are being entirely offset by increased security rework and risk exposure.
- **Expert Commentary:** Experts like Wysopal confirm a long-held suspicion: shiny new tech does not inherently solve human-centric problems like security hygiene; it often exacerbates them through abstraction.
- **Market Response:** Expect increased sales pressure on AppSec solutions that claim "AI Code Fix" or "GenAI Code Scanning" capabilities in the near term.
## Future Outlook
- **Predictions and Expectations:** We anticipate a surge in specialized security products focused solely on integrating into AI coding workflows (e.g., IDE plugins that function as real-time security reviewers for LLM suggestions). Regulatory scrutiny of application security quality, especially in critical sectors, may increase in response to these findings.
- **What to watch for:** Veracode or other researchers publishing follow-up data showing improvements in the 45% figure over the next year, indicating industry adoption of countermeasures.
## For Security Professionals
Cybersecurity practitioners need to urgently audit their existing secure development lifecycle (SDL) processes. Relying on developers to manually vet AI-generated code is statistically insufficient. New training modules and mandatory security gates must be established specifically for code authored or assisted by AI tools. The focus must shift from finding *bugs* generally to finding *AI-introduced context or logic flaws* specifically.