Developers knowingly push vulnerable code, despite growing breach risk

Dive Brief:

• Virtually all companies have experienced some type of intrusion due to vulnerable code, application security firm Checkmarx said in a report released Thursday.
• Nearly eight in 10 firms reported experiencing such breaches in 2023, but that figure climbed more than 90% last year and reached 98% this year.
• At the same time, eight in 10 companies said they sometimes or often released software with code they knew was vulnerable, up from two-thirds in 2024. “This isn’t oversight,” Checkmarx said. “It’s strategy.”

Dive Insight:

While many cyberattacks exploit human error, including through social engineering, software vulnerabilities remain a potent way to penetrate a target network. But despite widespread awareness of this fact, Checkmarx said, “security breaches caused by vulnerable code remain widespread.”

“Most organizations know the risks,” the company observed, “yet too few are acting decisively to reduce them.”

The percentage of surveyed organizations that experienced four or more breaches per year nearly doubled since Checkmarx’s last annual survey, reaching 27% this year after hitting 16% in 2024.

Checkmarx said the rise “suggests a compounding risk effect, where each breach potentially weakens defenses, exposes additional vulnerabilities, or signals deeper systemic issues in the organization’s software development and security practices.”

Checkmarx’s report is based on surveys of 514 chief information security officers, 501 application security managers and 504 software developers in the U.S. and eight other countries.

More than a third of companies (35%) expect to experience a software supply-chain compromise in the next 12 to 18 months, topping the list of expected attack vectors. The same percentage of companies predicted that they would experience a breach due to a vendor intrusion, while roughly the same number of respondents predicted an intrusion due to a cloud service misconfiguration.

Only 31% of CISOs and application security managers consider their security program to be highly mature. Another 47% said they had above-average programs that had room for improvement. Checkmarx said it was alarmed to find that nearly 20% of respondents reported “significant gaps” in their programs.

Companies are also eagerly embracing AI-generated code. Half of respondents said they use AI security code assistants, but 18% of companies have policies governing the use of those tools. Additionally, only 12% of companies said they could adequately manage the security implications of using AI to generate code.