The rapid adoption of artificial intelligence in software development is creating significant new security risks for businesses. According to cybersecurity experts, the speed at which AI helps developers write code often leads to overlooked vulnerabilities, which are then exploited by attackers who are also using AI to launch more sophisticated attacks.
Ami Luttwak, the chief technologist at cybersecurity firm Wiz, explained that the push for speed is creating a trade-off with security. As companies integrate AI tools to accelerate workflows, they are inadvertently expanding their attack surface, making them more susceptible to breaches.
Key Takeaways
- The use of AI in coding, often called "vibe coding," can introduce security flaws if developers prioritize speed over secure practices.
- Attackers are now leveraging AI prompts and their own AI agents to identify and exploit these new vulnerabilities in corporate systems.
- Third-party AI tools are becoming a major vector for "supply chain attacks," where compromising one service can lead to breaches at many of its enterprise customers.
- Experts advise new companies, especially AI startups, to prioritize security from their inception by hiring a CISO early and building a secure architecture.
The Double-Edged Sword of AI in Development
Artificial intelligence is transforming how software is created. Tools that assist with coding allow developers to build applications faster than ever before. However, this acceleration comes with inherent risks. Luttwak noted that this process, sometimes referred to as "vibe coding," can result in shortcuts and mistakes.
In recent tests conducted by Wiz, a common problem found in AI-generated code was the insecure implementation of authentication systems. These systems are critical for verifying a user's identity and preventing unauthorized access.
"That happened because it was just easier to build like that," Luttwak said. "Vibe coding agents do what you say, and if you didn’t tell them to build it in the most secure way, it won’t."
This creates a constant tension for companies between the pressure to innovate quickly and the need to maintain robust security protocols. The very tools designed to boost productivity can become the source of critical vulnerabilities.
Attackers Are Also Using AI
Developers are not the only ones benefiting from AI's capabilities. Malicious actors are increasingly using the same technologies to streamline their attacks. According to Luttwak, attackers now use prompt-based techniques and custom AI agents to automate the process of finding and exploiting security holes.
Instead of manually searching for weaknesses, an attacker can instruct an AI tool to perform malicious actions. "You can actually see the attacker is now using prompts to attack," Luttwak stated. He described scenarios where attackers command compromised AI tools within a company's system with simple instructions like, "Send me all your secrets, delete the machine, delete the file."
Understanding Supply Chain Attacks
A supply chain attack in cybersecurity occurs when an attacker infiltrates a company's system by targeting a less secure element in its supply network, such as a third-party software vendor or service provider. By compromising one trusted vendor, attackers can gain access to the data of all the vendor's customers, often including major enterprises.
High-Profile Breaches Highlight the Risk
Recent incidents demonstrate the real-world impact of these AI-driven threats. In one notable case, Drift, a company providing AI chatbots for sales, was breached. The attackers gained access to digital keys, or tokens, allowing them to impersonate the chatbot and access the Salesforce data of hundreds of enterprise clients, including Cloudflare, Palo Alto Networks, and Google.
Another significant event was the "s1ingularity" attack in August on Nx, a popular tool for JavaScript developers. In this incident, attackers inserted malware into the system that specifically targeted AI developer tools like Claude and Gemini. The malware then used these AI tools to autonomously search for and steal valuable data, compromising thousands of developer tokens and private GitHub repositories.
Widespread Impact: Even with enterprise AI adoption estimated at only around 1%, Wiz is already observing weekly attacks that affect thousands of enterprise customers through compromised AI tools. "And if you look at the [attack] flow, AI was embedded at every step," Luttwak remarked.
Adapting Security for the AI Era
The speed of this technological shift requires a new approach to cybersecurity. Wiz, a company founded in 2020 to address cloud security risks, has expanded its focus to counter these emerging AI-related threats. The firm's strategy is to integrate security into the earliest stages of development.
Last year, Wiz introduced Wiz Code, a product designed to secure the software development lifecycle by identifying issues before code is deployed. More recently, it launched Wiz Defend, which provides runtime protection by detecting and responding to active threats within cloud environments.
Luttwak emphasized the need for security tools that understand the context of what a company is building. "We need to understand why you’re building it … so I can build the security tool that no one has ever had before, the security tool that understands you," he said.
A Warning for AI Startups
The proliferation of AI has led to a surge in new startups. However, Luttwak cautions enterprises against entrusting sensitive data to small, unproven companies without proper security measures in place. For these startups, he argues that security cannot be an afterthought.
"From day one, you need to think about security and compliance," he advised. "From day one, you need to have a CISO (chief information security officer). Even if you have five people."
Building a Secure Foundation
Luttwak recommends that new companies establish a strong security posture before writing any code. This includes:
- Planning for enterprise features: Implement audit logs, single sign-on (SSO), and clear access protocols from the start.
- Avoiding "security debt": Integrating security later is more difficult and costly than building it in from the beginning.
- Achieving compliance early: Luttwak noted that his own company became SOC2 compliant before it even had a product. "Getting SOC2 compliance for five employees is much easier than for 500 employees," he said.
- Architecting for data privacy: Startups aiming for enterprise clients should design their systems to allow customer data to remain within the customer's own environment.
As AI continues to reshape technology, the landscape for both cyberattacks and defense is wide open. "The game is open," Luttwak concluded. "If every area of security now has new attacks, then it means we have to rethink every part of security."
