AI used extensively for security but not for coding, JFrog survey finds

Most organizations use AI/ML-powered tools to assist in security scanning and remediation, but only a third use them to write code, JFrog reports.

Editor at Large, InfoWorld |

red eyed tree frog
Ron Cogswell (CC BY 2.0)

In JFrog’s just-released Software Supply Chain State of the Union 2024 report, the software supply chain platform provider found extensive use of AI and machine learning tools for security. However, only one in three software developers the company surveyed use generative AI to write code.

While 90% of survey respondents indicate their organizations currently use AI/ML-powered tools in some capacity to assist in security scanning and remediation, only about one in three professionals, 32%, said their organizations use AI/ML-powered tools to write code. This indicates the majority still are wary of the potential vulnerabilities that AI-generated code can introduce to enterprise software, JFrog said.

Released March 19, JFrog’s report combines JFrog Artifactory developer usage data from more than 7,000 organizations, original CVE (Common Vulnerabilities and Exposures) analysis by the JFrog security research team, and commissioned third-party survey data of 1,200 technology professionals worldwide to provide context into the software supply chain landscape.

The report also notes that nearly half of respondents, 47%, said they use between four and nine application security solutions. One-third said they are using 10 or more application security solutions.

Other findings in JFrog’s Software Supply Chain State of the Union 2024 report:

  • Security is taking a toll on productivity. A full 40% of survey respondents said it typically takes a week or longer to get approval to use a new package or library. Approximately 25% of security teams’ time is spent remediating vulnerabilities.
  • Denial of service attacks reign. Nearly half (48.9%) of CVEs analyzed hold the potential for a DoS attack, compared to 18.9% that have the potential to perform remote code execution. This is good news, JFrog said, because remote code execution has a far more detrimental impact.
  • Not all CVEs are what they seem. The JFrog security research team downgraded the severity of 85% of critical CVEs and 73% of high CVEs on average after analyzing 212 different high-profile CVEs found in 2023.
  • More than half of organizations (53%) use four to nine programming languages, and 31% use more than 10 languages.

Next read this:

Related:

Paul Krill is an editor at large at InfoWorld, whose coverage focuses on application development.

Copyright © 2024 IDG Communications, Inc.