Security by Design: Why Bolted-On Protection No Longer Works

According to Veracode's 2025 GenAI Code Security Report, 45% of AI-generated code introduces OWASP Top 10 vulnerabilities. AI-generated code is 1.88× more likely to introduce improper password handling, 2.74× more likely to add XSS vulnerabilities, and 1.82× more likely to implement insecure deserialization than human-written code. By 2028, Gartner predicts 90% of engineers will use AI code assistants.

This creates an urgent imperative: if AI is generating more code faster, and that code has more vulnerabilities, then security must be built into the development process itself - not bolted on afterward.

Security Built In, Not Bolted On

When AI agents can perform security reviews, hardening, and monitoring, there's no excuse for security to be an afterthought. Any engineer can now leverage specialized security expertise without hiring specialists. This shifts security left - way left. Instead of security reviews before deployment, security happens during implementation, in real-time.

The Anthropic 2026 Agentic Coding Trends Report notes that agentic coding is transforming security in two directions at once. As models become more powerful and better aligned, building security into products becomes easier. But as agents gain autonomy over larger codebases, security vulnerabilities could propagate faster than human reviewers catch them.

The New Security Posture

When security is cheap and continuous, teams can afford to be more aggressive about it:

• Continuous scanning - Every change checked for vulnerabilities before it can be committed
• Pattern enforcement - Secure defaults applied automatically by AI reviewers
• Dependency auditing - Supply chain risks flagged immediately as dependencies change
• Compliance checking - Regulatory requirements verified by design, not by audit

Within Snyk's customer base, 85% to 90% have adopted AI-based coding assistants. HackerRank reports that 97% of developers are leveraging the technology. This massive adoption makes automated security scanning not just helpful - it's essential.

The Behavior Gap

Here's the troubling pattern: 56% of developers say insecure AI suggestions are common - but few have changed their processes to address it. Despite clear evidence that AI systems consistently make insecure suggestions, security behaviors aren't keeping up with adoption.

Over 75% of respondents in one survey claimed that AI code is more secure than human code. Yet 56% simultaneously admitted that AI-generated code sometimes or frequently introduced security issues. This gap between perception and reality is where vulnerabilities thrive.

Remaining Human Decisions

AI handles the mechanical aspects of security - scanning, pattern matching, known vulnerability detection. Humans still make the judgment calls:

• What's the acceptable risk for this feature?
• What's the right tradeoff between security and usability?
• What threats are we most worried about?
• How do we balance speed with safety?

Strategy stays human. Execution gets automated. The teams that understand this distinction ship more secure code faster than those who rely on either AI or humans alone.

Building for Security

Organizations building security into their AI workflows from the start are seeing measurable results: Snyk reports 84% reduction in mean time to remediate with AI SAST, Veracode fixed 131 million flaws in 2025, and Vercel prevents roughly 1,000 security vulnerabilities per day in v0-generated code.