Checkmarx’s 2026 Future of Application Security Report Finds Low Continuous In-IDE AppSec Use
Checkmarx’s 2026 Future of Application Security report said security teams face a growing gap between code development that uses AI tooling and the adoption of continuous application security practices. The survey findings centered on how teams apply security while writing code, how they handle AI governance, and how security issues surface in production.
The report said nearly all developers reported using AI tooling in integrated developer environments, but only 18% said they apply security continuously as they write code. It also reported that organizations with higher shares of AI-generated production code were more likely to ship software with known security vulnerabilities, and that 75% of organizations knowingly deploy vulnerable code at some point.
Functionally, the report linked execution gaps to the role of in-IDE AppSec tooling and to difficulty integrating security into CI/CD pipelines. It also cited pressure on CISOs, with 95% reporting pressure to suppress or delay compliance-related security issues when business deadlines were at stake, and it described exploit windows collapsing from years to minutes.
The report described practices that pair deterministic ground truth with AI-augmented reasoning, prioritize formal AI governance policies, and use automation to convert remediation from manual bottlenecks into defensive strengths. It also stated that Censuswide conducted the survey for Checkmarx between March 10 and March 30, 2026, collecting responses from 2,350 CISOs, AppSec managers, and developers across 14 countries.
“This report points to a massive disconnect between the security crisis that organizations are facing and the incremental steps that they are taking to address it. A completely new model is required,” said Sandeep Johri, CEO of Checkmarx. “Just like the student cannot grade their own exam, AI alone cannot secure code – and, as the research shows, it adds risk. Organizations need security that combines deterministic precision with probabilistic reasoning to identify novel exploitable patterns, while closing the gap between finding a vulnerability and fixing it with better human-guided remediation.”
“We are fighting a battle on two fronts as frontier models accelerate vulnerability discovery across legacy and open-source code, while AI-generated code widens the attack surface in every pipeline,” said Jonathan Rende, Chief Product Officer for Checkmarx. “What was once considered manageable risk, now looks like surrender. Organizations must urgently prioritize three things: collapsing raw findings into actionable signal, embedding remediation into every workflow, and maintaining visibility across every aspect of their software supply chain.”
Provided by Globe Newswire on behalf of Checkmarx.com. Click to read original content.