Skip to main content

Black Duck releases report on AI code security gap

Black Duck released a report that documented a gap between broad use of Artificial Intelligence (AI) tools in software development and limited protections for code produced by those tools, a difference the report said increased risk across software supply chains.

The report presented survey data showing that 95% of respondents used AI tools in development while only 24% performed comprehensive intellectual property, license, security, and quality evaluations on AI-generated code, a shortfall the report said exposed the software supply chain to potentially severe and unaddressed risks.

The study also described several practices and their measured outcomes: 76% of respondents checked AI-generated code for security risks; organizations effective at tracking open source dependencies reported 85% preparedness compared with 57% overall; respondents using automatic continuous monitoring reported a 60% rate of remediating critical vulnerabilities within a day versus 45% for the full group.

The report outlined additional findings on third-party verification and controls: respondents that always validated SBOMs reported 63% high preparedness to evaluate third-party software and 59% typically responded to critical vulnerabilities within one day; respondents using at least three compliance controls remediated critical vulnerabilities within a day at 49%, rising to 54% for those using at least four controls, while 35% cited interpreting and operationalizing complex regulatory requirements as their biggest challenge.

“We're in a new era of rapid software innovation, fueled by AI, but these findings reveal a critical challenge: security isn't keeping pace,” “It's imperative that organizations prioritize robust security frameworks, with a sharp focus on AI-generated code and meticulous dependency management, to build truly resilient software supply chains,” said Jason Schmitt.

The study was conducted by UserEvidence using a survey of 540 software security leaders and practitioners and was published as the report titled “Navigating Software Supply Chain Risk in a Rapid-Release World,” which emphasized that a resilient software supply chain extended beyond compliance and enabled organizations to address vulnerabilities, minimize downtime, prevent data breaches, and improve developer productivity and development velocity.

Provided by Cision on behalf of Synopsys. Click to read original content.