← All insights

Your AI Just Built You an App. It Also Built You a Liability.

Aravind Naidu, Partner / CTO, ToolTwist6 min readAI delivery

You type a sentence, wait a few seconds, and an app appears. A login page. A database. A payment flow. No CS degree, no years buried in documentation. Just you, a prompt, and something that actually runs.

I do this too, and I love it. So I'm sorry about what comes next. A new industry report makes a pretty good case that the thing you just shipped is riskier than it looks — and that the people who do security for a living are struggling with the exact same problem.

The report, in one sentence

Checkmarx, an application security company, just put out its annual Future of Application Security in the Era of AI report. It's based on a survey of 2,350 security leaders and developers across 14 countries. They sell security tools, so a little skepticism is healthy here. But the numbers line up with something a lot of us have noticed quietly: we've gotten really good at generating code, and really bad at making sure it's safe.

The whole thing comes down to a gap. We can find security problems faster than ever. We just don't fix them.

"The AI wrote it, so it's probably fine"

Here's the stat that made me put my coffee down. When the researchers grouped companies by how much of their code is AI-generated, the heaviest AI users shipped known-vulnerable code at 3.4 times the rate of the lightest users. And it wasn't a fluke at the extremes — every bracket in between followed the same line. More AI, more vulnerabilities. Every time.

Remember, these are companies. They have security staff, review processes, budgets. Seven in ten of their own developers said AI coding tools added vulnerabilities last year, not removed them.

Now think about the solo builder. No reviewer, no security team, no process. Just an AI that's fast, confident, and genuinely doesn't care whether the thing it made can be broken into. It's not lying when it tells you the app works. It's just answering a different question than the one that matters. "Does it run?" and "Is it safe to put real people's data in?" are not the same question, and the tool only gets graded on the first one.

The pros are drowning too

You'd hope this was just a beginner thing — that the real engineers have it covered. They don't, and this is the part I keep coming back to.

Among the companies surveyed, 75% knowingly deploy code they know is vulnerable. About a third ship it and quietly hope nobody notices. Only 9% fix more than 90% of their known vulnerabilities within 90 days. A third still have half their known problems sitting unpatched after that.

And here's the kicker. Nearly three-quarters of security leaders rated their own posture as "advanced" or "highly mature." Of those, 81% got breached at least twice last year. The ones who rated themselves highest sat at the top of almost every risk curve: most AI code, most vulnerable code shipped, breach rates no better than anyone else's. The more confident they were, the worse they were doing.

So if the people with the tools and the staff are this far behind, "my app is probably fine" isn't optimism. It's a guess.

The clock is speeding up

One more piece, and it's why "I'll deal with security later" keeps getting worse as a plan. The report argues the window between a vulnerability existing and someone exploiting it is shrinking fast, because AI can now find and weaponize flaws quicker than people ever could. Take the exact numbers with a grain of salt — again, fear is good for their business. But the direction is hard to argue with. The same jump in capability that lets you build an app over lunch lets someone else go looking for holes in it by dinner. They've got the same magic you do.

"I'll fix it if it becomes a problem" assumes you'll get a heads-up. More and more, you won't.

So what do you actually do?

I'm not telling you to stop. These tools are a genuinely big deal, and locking them behind a CS degree helps nobody. But "I can build it" and "I can responsibly run it" are different skills, and the space between them is where people get hurt — usually the people whose data you collected.

If you're shipping something real, a few honest minimums:

  • Treat AI code like a first draft from a fast, careless intern. It needs a review, not a round of applause. If you can't review it yourself, that's telling you something about what you should be building — not giving you permission to skip the step.
  • Be stingy about the data you collect. The safest vulnerability is in data you never stored. If you don't genuinely need passwords, addresses, or card details, don't touch them. Hand that to providers who've already solved it.
  • Scan before you launch, not after. There are free and cheap tools that catch the obvious, dangerous stuff. You're not chasing perfection, just not shipping things that are trivially easy to break.
  • Don't build your own auth or payments. These are solved problems with battle-tested services behind them. "The AI built me a login system" might be the scariest sentence in software right now.
  • Assume someone's already poking at it. Anything you put on the public internet gets scanned by bots within hours. Build like that's the case, because it is.

The upside here is real: more people building more things than ever. That's worth being excited about. But the warning in this report hits hardest for anyone building without a net. Generating an app has never been easier. Being responsible for one is exactly as hard as it's always been — and when that goes wrong, the bill lands on whoever trusted your software.

Build the thing. Just don't confuse "it works" with "it's done."

Source: Checkmarx, Future of Application Security in the Era of AI — 2027 Industry Outlook.