 |
Secure Talk PodcastSecure Talk reviews the latest threats, tips, and trends on security, innovation, and compliance. Author: Justin Beals
Secure Talk reviews the latest threats, tips, and trends on security, innovation, and compliance. Host Justin Beals interviews leading privacy, security and technology executives to discuss best practices related to IT security, data protection and compliance. Based in Seattle, he previously served as the CTO of NextStep and Koru, which won the 2018 Most Impactful Startup award from Wharton People Analytics. He is the creator of the patented Training, Tracking & Placement System and the author of Aligning curriculum and evidencing learning effectiveness using semantic mapping of learning assets, published in the International Journal of Emerging Technologies in Learning (iJet). Justin earned a BA from Fort Lewis College. Language: en Genres: News, Tech News, Technology Contact email: Get it Feed URL: Get it iTunes ID: Get it |
Listen Now...
AI Coding Hype vs Reality: The 2025 AI Code Security Report with Chris Wysopal
Episode 235
Tuesday, 9 September, 2025
In a converted hat factory in 1990s Boston, a group of hackers worked through the night to techno beats and Soul Coughing, driven by a simple philosophy: "smarter beats bigger." One of them, Chris Wysopal, would later stand before Congress and deliver a stark warning—a small group of dedicated hackers could bring down the entire internet in 30 minutes.Today, that same hacker faces a new challenge. The AI revolution everyone celebrates may be creating the largest security vulnerability in computing history.Chris and his team at Veracode just completed the most comprehensive study of AI-generated code ever conducted—testing 100 different language models across 80 coding scenarios over two years. What they discovered contradicts everything the tech industry believes about AI development tools.The Reality Behind the Hype: Despite billions in investment and years of development, AI systems create vulnerabilities 45% of the time—exactly matching human error rates. While AI has dramatically improved at writing code that compiles and runs, it has learned nothing about writing secure code. The models have simply gotten better at disguising their mistakes.The Mathematics of Risk: Development teams now code 3-5x faster using AI assistants like GitHub Copilot and ChatGPT. Same vulnerability rate, exponentially faster development speed equals a multiplication of security flaws entering production systems. Many organizations are simultaneously reducing their security testing capacity just as they accelerate their vulnerability creation rate.The Training Data Problem: The source of the issue lies in contaminated training data. These AI systems have absorbed decades of insecure code from open-source repositories and crowd-sourced platforms like Reddit. They've learned every bad coding practice, every deprecated security measure, every vulnerability pattern from the past 30 years—and they're reproducing them at machine speed.The Technical Reality: Chris walks through specific findings: Java fails security tests 72% of the time, cross-site scripting vulnerabilities appear consistently, and inter-procedural data flows confuse even the most advanced models. The study reveals why some vulnerability types prove nearly impossible for current AI to handle correctly.From Underground to Enterprise: This isn't just another technical report—it's a perspective from someone who helped define modern cybersecurity. The same analytical approach that once exposed vulnerabilities in massive corporate systems now reveals why the AI coding revolution presents unprecedented challenges.The Path Forward: While general-purpose AI struggles with security, specialized models focused on fixing rather than generating code show promise. Chris explains how Veracode's targeted approach to code remediation succeeds where broad AI systems fail, pointing toward solutions that embrace the "smarter beats bigger" philosophy.The hacker who once operated in shadows now examines these systems in broad daylight, revealing how our accelerated development practices may be outpacing our ability to secure them.Chapters00:00 The Origins of Loft Hacking Group07:48 Generative AI in Software Development13:39 Vulnerabilities in AI-Generated Code18:56 The Challenges of Secure Coding24:34 The Future of AI in Software Security29:45 The Impact of AI on Developer RolesResources: Veracode 2025 GenAI Security Report
