Why AI-Generated Code Has Security Gaps That Look Like Clean Code

The most dangerous bugs in software are the ones that are invisible during review. Code that looks well-structured, compiles cleanly, and handles common inputs correctly can still contain serious security vulnerabilities that only appear when someone specifically looks for them. AI-generated code has a higher frequency of this pattern than human-written code, for specific and understandable reasons.

Understanding why helps teams know what to look for and where to invest testing effort. This is not an argument against using AI coding assistants. It is an argument for understanding their specific failure modes so you can address them systematically.

Why AI-Generated Code Looks Secure When It Isn't

When an AI model generates code, it draws from patterns learned across a large corpus of training examples. The code it produces reflects what is common in that corpus. Common patterns tend to be structurally correct: they follow language conventions, use appropriate data types, and handle the standard cases.

The security properties of common patterns are more variable. Training data includes code written for different contexts, different threat models, and different platform requirements. Some of that code included the specific sanitization and validation logic your system requires. Some of it did not. The model cannot distinguish between "this code is secure for this specific context" and "this code looks like typical code in this domain."

The result is generated code that uses the right data types and follows the language idioms, but misses the specific security constraints of your system. The code looks clean because the structural patterns are correct. The security gap is in the domain-specific layer that the model cannot derive from training data alone.

The Three Most Common Security Gaps

Missing Input Sanitization

Functions that accept data from outside the trusted perimeter of the system need explicit sanitization before that data is used in sensitive operations. SQL query construction, shell command execution, HTML rendering, and file path operations all require the input to be transformed into a safe form before use.

AI-generated code frequently uses the right mechanism at the outer layer (parameterized queries, escaped templates, structured path operations) but misses the sanitization of intermediate values that pass through multiple functions before reaching the sensitive operation. Each individual function looks correct in isolation. The gap is in the data flow: unsanitized data reaches a sensitive operation through a path that no single function was responsible for sanitizing.

OWASP maintains a comprehensive catalog of these patterns for each vulnerability category. The injection testing section specifically documents how injection vulnerabilities propagate through multi-layer systems where each layer appears individually correct.

Silent Error Handling

When AI-generated code calls an external dependency and that dependency fails, the most common response in generated code is to catch the exception and return an empty or default value. The function does not throw. The calling code receives a result that looks like an empty success rather than a failure signal.

This pattern creates two security problems. First, it hides authentication and authorization failures. If a function that checks permissions catches an exception from the permission service and returns a default, and the default is "allow," then permission service failures silently grant access. Second, it creates exploitable ambiguity: an attacker who can reliably cause specific dependencies to fail can use that to trigger the default behavior.

Explicit error propagation is the correct pattern, and it is worth testing specifically. For each function in AI-generated code that calls external dependencies, write a test that injects a failure and verifies the function propagates the error rather than returning a safe-looking default. Snyk can identify dependency vulnerabilities that might be exploited to trigger these failures intentionally.

Dependency Version Risk

AI models suggest packages that are common in their training data. Common packages in training data may have known vulnerabilities in their current versions. The code looks legitimate: the package is a standard one used across the industry. The vulnerability is in a specific version that was current when the training data was collected.

Semgrep addresses the code pattern side of this: it can identify uses of deprecated API patterns or unsafe function calls that indicate a dependency is being used in a way known to be insecure. Dependency manifest scanning (Snyk and others) identifies the packages themselves that have outstanding CVEs. Both checks are worth running on any codebase where AI assistants are contributing code with package imports.

What Security Testing for AI Code Looks Like

The testing approach for security gaps in AI-generated code has three components that complement each other.

Static analysis runs first, without executing the code. It identifies patterns in the source that match known vulnerability signatures: unsafe string interpolation, unparameterized query construction, hardcoded credentials, and other structural issues. This layer is fast and catches the obvious cases. Tools like ESLint with security plugins and Semgrep with the community rule library cover the major categories.

Behavioral tests with adversarial inputs run the code against the specific inputs that exploit common vulnerabilities. SQL injection strings, path traversal sequences, oversized inputs, encoding edge cases, and null byte injection are standard categories. The OWASP test guide documents the canonical payloads for each category. A parameterized test structure that drives an input-handling function through these payloads takes an hour to write and provides ongoing protection as the code evolves.

Dependency scanning checks the packages imported by AI-generated code against known vulnerability databases. This is a distinct concern from the code's own logic. The code can be correct while relying on a dependency with a known CVE. Scanning the dependency manifest at CI time catches new vulnerabilities as they are disclosed, not just at the time the code was written.

The Review Problem That Makes This Harder

Human code review is somewhat less effective for AI-generated code than for code the reviewer wrote themselves, and this matters most in security review.

When a developer reviews code they wrote, they have a mental model of the threat surface they were thinking about while building the function. The review is partly verification against that threat model. The reviewer knows which parts of the implementation they were confident about and which parts they guessed on.

When a reviewer examines AI-generated code, they have no such mental model. They are reading code cold. The code looks structurally correct. The patterns match what legitimate code looks like. The security gap that exists is not in the pattern the reviewer can see but in the specific constraint the pattern does not encode.

Automated security tests compensate for this gap by making the threat surface explicit and verifiable. A test that runs the input-handling function against injection payloads does not require the reviewer to know that injection is a concern. It encodes that concern permanently, running it on every subsequent change to the function.

Applying This Without Slowing Down Development

The velocity benefit of AI-assisted development is real. Teams that adopt AI coding assistants write more code faster. The risk is that the volume of untested or under-tested code increases at the same rate.

The security testing approach described here does not have to eliminate the velocity benefit. Static analysis integrates into pre-commit hooks and runs in under two minutes. Parameterized tests with adversarial inputs are faster to write than extensive prose documentation of the security requirements. Dependency scanning adds about fifteen seconds to a CI pipeline.

The overhead is real but small. The cost of a production security incident is not. For teams shipping AI-generated code at any meaningful volume, the question is not whether security testing overhead is acceptable. The question is whether the specific security gaps that AI-generated code introduces are acceptable if left untested.

For a structured guide to applying these tests within a standard review workflow, the piece on testing AI-generated code before it ships covers the full process from code generation through CI validation.

The security testing guidance from 137Foundry includes the specific test patterns for each vulnerability category applicable to AI-assisted development engagements, built into the workflow as a standard component rather than a separate quality step.

magnifying glass document close security Photo by ds_30 on Pixabay

Security gaps in AI-generated code are systematic rather than random. They follow predictable patterns that predictable tests can catch. The first step is understanding that clean-looking code is not the same as secure code, and that the difference requires specific verification rather than careful reading.

Comments

Post a Comment

Popular posts from this blog

Why ETL Pipeline Design Decisions Made Today Become Tomorrow's Technical Debt

Image
Data pipelines accumulate technical debt faster than almost any other category of software. The reason isn't complexity - most pipelines are structurally simple. It's that they're written to solve an immediate problem (move this data from here to there) without accounting for how requirements will change, how systems will evolve, and how the people who maintain the pipeline will need to understand and modify it months later. This piece is about the design decisions at the beginning of a pipeline project that determine whether it stays maintainable or becomes a liability. The "Quick Script" Problem Most pipeline technical debt starts with a script that wasn't supposed to last. A developer spends a day connecting two systems, it works, and it gets put in production. Six months later, the original developer is gone, the script has no documentation, it runs on a server that nobody is sure about, and changing anything requires reading the code and hoping you und...
Read more

How to Build Idempotent Webhook Event Processors

Image
Webhook delivery is at-least-once. If your endpoint returns a non-2xx response, the sender will retry. If there's a network timeout during delivery, the sender may retry even after a successful delivery that never reached you. This means your event processor must be idempotent: processing the same event twice must produce the same result as processing it once. Idempotency is not a nice-to-have. It's the fundamental contract that makes webhook integrations reliable. Without it, retry delivery creates duplicate records, double-charged accounts, and duplicate notifications. The Core Idempotency Pattern The standard pattern is event ID tracking. Every webhook sender includes a unique identifier in the payload. Before doing any processing work, check whether you've already processed this ID. If yes, return success and stop. If no, process the event and record the ID as handled. async def process_webhook_event(event_id: str, payload: dict) -> None: async with db.transa...
Read more

Why INP Replaced FID and What That Means for Your Site's Performance Score

Image
In March 2024, Google replaced First Input Delay (FID) with Interaction to Next Paint (INP) as the responsiveness metric in the Core Web Vitals set. This wasn't a minor update to thresholds or methodology. It was a fundamental change in what Google measures when it evaluates whether a page is responsive to users. If your site's responsiveness score looked fine under FID but has declined since the transition to INP, you're not alone. INP is a stricter metric that captures failures FID was structurally unable to detect. Understanding why the change happened and what INP actually measures is necessary context for fixing it. Why FID Was Limited FID measured the delay between a user's first interaction with a page (usually a click or tap) and the point at which the browser began processing the event. It captured only the delay before processing started, not the time required to complete the processing or render the visual response. This meant FID could look good even on ...
Read more