Keeping code secure as generative AI accelerates software development

Nation-state hackers. Ransomware gangs. Zero-day exploits. These threats dominate security headlines, painting a picture that enterprise cybersecurity revolves around fending off sophisticated attacks. But in reality, most incidents start with something far less dramatic: small, incremental code changes made by software developers every day.

Small changes, big footprint

According to a study that analyzed GitHub profile commit-data from over 878,500 developers, the median career developer makes 673 commits per year — nearly three commits per working day. When multiplied across a company’s developers, that’s thousands of commits each year. While these code changes are essential — powering bug fixes, performance improvements, and security patches — they can pose inconspicuous yet serious software quality and security weaknesses when not properly tested.

Generative AI accelerates the pace, and the stakes

Generative AI makes it faster and easier to push code. In fact, Microsoft and Google already claim that upwards of 20% to 30% of their code is AI generated. However, it’s also estimated that 45% of AI-generated code introduces OWASP Top 10 security vulnerabilities; a rate that hasn’t improved even in newer models.

For businesses already under pressure to move fast, the breakout of generative AI has opened the floodgates. Teams are constantly being told to do more with less, and to do so faster. But when speed is prioritized over quality, we invite risk.

The speed-quality trade-off

As found in Tricentis’ 2025 Quality Transformation Report, a majority (63%) of organizations report they ship code changes without fully testing them, citing pressure to release faster. While teams make sure core functionality tests are passed before shipping a release, more thorough tests often get skipped, not allowing things like data isolation failures or misconfigurations to be caught.

Related reading:

To be clear, neither incremental changes nor AI-generated code themselves are the problem, and the push for speed is not inherently bad. Yet in today’s environment, these aspects demand particular attention. It’s critical to find the balance between moving fast and staying strong. Software testing is a prime means to reaching that balance.

Secure software starts with testing

While software testing might seem like a CX issue at the onset, it is fundamental to security, customer trust, and company reputation. Without establishing proper testing and processes, even minor oversights can lead to software breakdowns, making testing everyone’s problem.

Take the case of compliance company Vanta: hundreds of its customers’ data was exposed, not by a bad actor, but by an erroneous code change. One Reddit thread highlights the broader repercussions, with one user saying: “Not sure whether they got too complacent or just reckless, but you expect higher engineering standards from a company selling compliance and trust to the world.”

Another user claiming to be a customer said, upon requesting out of their contract and being offered a discounted price: “No money is worth my data being at risk.”

Vanta’s incident underscores that customer expectations are high, especially when it comes to privacy and security. Businesses cannot afford testing to be an oversight.

Actionable advice for security leaders

With the advent of generative AI, the software landscape has irrevocably transformed. As code gets developed at a faster rate, with AI-generated code introducing new security risks to be addressed, there’s an increased need for testing rigor. Think of it like engineering a bridge. You wouldn’t open a bridge to traffic before testing its structural integrity. Treat software the same way.

In the midst of constant change, there are several actionable ways to ensure strong software quality and security stay the same.

A good start is to push for shift-left security and testing. As generative AI drives faster development, it can be easy for mistakes to slip through the cracks. That’s why security controls and testing must move earlier in the software development life cycle. It’s not enough to test just before release; code must be tested at every commit and pull request.

Similarly, leaders should advocate for quality and speed to accelerate in tandem. Too often, individual and team performance get measured by KPIs that solely focus on release speed. Promote metrics that also reward safe, secure releases, such as downward-trending vulnerability density and defect escape rates.

It’s also important to modernize testing tooling for today’s demands. To keep up with increased velocity and volume, traditional “finish-line” and manual testing won’t cut it. Make the case for automated, scalable testing frameworks that support both speed and resilience.

Lastly, ensure there’s established shared accountability for code hygiene. Developer and quality assurance teams already test for functionality, performance, edge cases, and regressions. Strengthen cross-functional collaboration to ensure coverage also spans security-focused tests like scanning, threat-modeling, and configuration.

As security leaders, we know that the best defense is prevention. In an age defined by rapid, AI-driven development, that prevention starts with treating software testing as a front-line security control.