Black Duck releases report on AI code security gap

Black Duck released a report that documented a gap between broad use of Artificial Intelligence (AI) tools in software development and limited protections for code produced by those tools, a difference the report said increased risk across software supply chains.

The report presented survey data showing that 95% of respondents used AI tools in development while only 24% performed comprehensive intellectual property, license, security, and quality evaluations on AI-generated code, a shortfall the report said exposed the software supply chain to potentially severe and unaddressed risks.

The study also described several practices and their measured outcomes: 76% of respondents checked AI-generated code for security risks; organizations effective at tracking open source dependencies reported 85% preparedness compared with 57% overall; respondents using automatic continuous monitoring reported a 60% rate of remediating critical vulnerabilities within a day versus 45% for the full group.

The report outlined additional findings on third-party verification and controls: respondents that always validated SBOMs reported 63% high preparedness to evaluate third-party software and 59% typically responded to critical vulnerabilities within one day; respondents using at least three compliance controls remediated critical vulnerabilities within a day at 49%, rising to 54% for those using at least four controls, while 35% cited interpreting and operationalizing complex regulatory requirements as their biggest challenge.

“We're in a new era of rapid software innovation, fueled by AI, but these findings reveal a critical challenge: security isn't keeping pace,” “It's imperative that organizations prioritize robust security frameworks, with a sharp focus on AI-generated code and meticulous dependency management, to build truly resilient software supply chains,” said Jason Schmitt.

The study was conducted by UserEvidence using a survey of 540 software security leaders and practitioners and was published as the report titled “Navigating Software Supply Chain Risk in a Rapid-Release World,” which emphasized that a resilient software supply chain extended beyond compliance and enabled organizations to address vulnerabilities, minimize downtime, prevent data breaches, and improve developer productivity and development velocity.