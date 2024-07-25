A new study from Checkmarx shows that 99 percent of enterprises are using AI code generation tools, yet only 29 percent have established any form of governance.

The survey of 900 CISOs and application security professionals worldwide finds 15 percent of respondents have explicitly prohibited the use of AI tools for code generation within their organizations.

"Enterprise CISOs are grappling with the need to understand and manage new risks around generative AI without stifling innovation and becoming roadblocks within their organizations," says Sandeep Johri, CEO at Checkmarx. "GenAI can help time-pressured development teams scale to produce more code more quickly, but emerging problems such as AI hallucinations usher in a new era of risk that can be hard to quantify. Checkmarx has successfully foreseen the problems that can arise with AI-generated code and we're proud to be delivering next-stage solutions within the Checkmarx One platform today."

Among other findings, 70 percent say there is no centralized strategy for generative AI, with purchasing decisions made on an ad-hoc basis by individual departments. 60 percent are worried about GenAI attacks such as AI hallucinations (where GenAI produces inaccurate or silly results), while 80 percent are worried about security threats stemming from developers using AI.

Although 47 percent of respondents say they're interested in allowing AI to make unsupervised changes to code, six percent say that they wouldn't trust AI to be involved in security actions within their vendor tools.

"The responses of these global CISOs expose the reality that developers are using AI for application development even though it can't reliably create secure code, which means that security teams are being hit with a flood of new, vulnerable code to manage," says Kobi Tzruya, chief product officer at Checkmarx. "This illustrates the need for security teams to have their own productivity tools to manage, correlate and help them prioritize vulnerabilities, as Checkmarx One is designed to help them do."

You can get the full report on the Checkmarx site.

