{"id":102624,"date":"2025-07-01T11:40:41","date_gmt":"2025-07-01T09:40:41","guid":{"rendered":"https:\/\/staging.checkmarx.com\/?p=102624"},"modified":"2025-10-16T12:42:50","modified_gmt":"2025-10-16T10:42:50","slug":"ai-speed-vs-software-security-a-conversation-with-checkmarx-ceo-sandeep-johri-and-idcs-katie-norton","status":"publish","type":"post","link":"https:\/\/checkmarx.com\/blog\/ai-speed-vs-software-security-a-conversation-with-checkmarx-ceo-sandeep-johri-and-idcs-katie-norton\/","title":{"rendered":"AI Speed vs. Software Security: A Conversation with Checkmarx CEO Sandeep Johri and IDC\u2019s Katie Norton\u00a0"},"content":{"rendered":"

If you asked a room full of CISOs how AI has changed their work, the answers would mix optimism with anxiety. This tension between acceleration and risk is where modern application security teams now live.  <\/p>\n\n\n\n

As Sandeep Johri, CEO of Checkmarx, shared during our recent Agentic AI Summit<\/a>, AI coding assistants bring meaningful productivity gains, but they also increase concern. <\/p>\n\n\n\n

\u201cAI coding assistants are really a double-edged sword,\u201d he said. \u201cOn one hand, they drive 20, 30, even 40 percent productivity gains. On the other, they raise anxiety because now organizations have to make sure they\u2019re not also multiplying their vulnerabilities.\u201d <\/p>\n\n\n\n

To explore this reality in depth, Johri invited Katie Norton, Research Manager at IDC, to join the conversation.  <\/p>\n\n\n\n

Norton leads IDC\u2019s DevSecOps and supply chain security practice, where she tracks how enterprises are adapting their security strategies for this new AI-powered era of software development.  <\/p>\n\n\n\n

Their discussion revealed what is working today and what is still evolving as organizations learn how to apply both AI coding assistants and autonomous AI application security agents in practical ways. <\/p>\n\n\n\n

AI Coding Assistants Are Everywhere, But Not Without Risk <\/h2>\n\n\n\n

Norton opened with a striking data point: according to IDC, 91% of organizations are now using AI coding assistants in software development.  <\/p>\n\n\n\n

That number highlights how quickly these tools have become standard in engineering workflows in mere years. <\/p>\n\n\n\n

The appeal is clear. Developers report productivity increases of up to 35%, thanks to faster code generation, reduced repetition, and a smoother path to meeting delivery deadlines, but that speed introduces a plethora of security concerns. <\/p>\n\n\n\n

\u201cMuch of the code these assistants are trained on comes from open-source repositories,\u201d Norton explained.  <\/p>\n\n\n\n

\u201cWhile open source is essential, it also contains vulnerabilities and outdated practices. That means AI-generated code can include insecure patterns, unvetted dependencies, or even code with unclear provenance.\u201d <\/p>\n\n\n\n

Higher Expectations, More Pressure, and the Role of Intelligent Support<\/h2>\n\n\n\n

The volume of code now being created adds pressure to AppSec teams. Productivity improvements come at a cost if they are not managed carefully. \u201cIf you say your team is coding 35% faster,\u201d Norton said, \u201cthe business will start expecting that level of output\u201d, which naturally leads to a potential decline in code scrutiny.  <\/p>\n\n\n\n

That pressure does not only apply to developers. AppSec teams are now expected to secure code just as quickly. <\/p>\n\n\n\n

The problem here is that traditional security processes can\u2019t keep pace with Gen AI. The more that gets built, the more security must validate. As Johri noted, the concern is not just about the speed itself, but the widening gap between development and security capacity. <\/p>\n\n\n\n

Ensuring the safety of this new flow of code requires intention. Norton summed it up clearly. \u201cSecuring AI-generated code requires more than trust. It demands the deliberate integration of controls, oversight, and continuous governance.\u201d <\/p>\n\n\n\n

Agentic AI in AppSec Isn\u2019t About Hype, But Help<\/h2>\n\n\n\n

Where AI coding assistants focus on creation, agentic AI in AppSec focuses on control: It introduces a layer of intelligent automation that supports application security efforts without slowing teams down.  <\/p>\n\n\n\n

These agents close the gap that already existed between development speed and security, and broadened by the introduction of AI-gen code. They reduce manual burdens, detect risks as early as the code is typed in, and embed protection where they need to be most. <\/p>\n\n\n\n

\u201cAgentic AI is still in the early days,\u201d Norton shared. \u201cBut we\u2019re seeing real promise. These agents can detect issues, enforce policies, and take predefined actions without waiting for humans.\u201d <\/p>\n\n\n\n

Organizations are embedding agents directly into developer environments. From within the IDE, these agents interpret code as it\u2019s written and scan results, surface contextual security recommendations, and even propose code fixes.  <\/p>\n\n\n\n

Developers get immediate guidance without leaving their workspace. On the AppSec side, agents are already helping triage issues, remove duplicates, and in some cases, apply fixes automatically. <\/p>\n\n\n\n

However,  as Johri pointed out, \u201cThe goal is not just to detect faster. It is to reduce the gap between detection and remediation in a way that does not depend on hiring more people.\u201d <\/p>\n\n\n\n

Agentic AI steps in to help both sides manage those expectations without compromising quality or safety. <\/p>\n\n\n\n

However, autonomous AppSec does not magically work on its own. Johri reminded us that \u201cTechnology only succeeds when it is aligned with people, process, and clear business outcomes.\u201d <\/p>\n\n\n\n

How The Best Organizations Are Doing AppSec Differently <\/h2>\n\n\n\n

Not every company is getting this right. The difference lies in strategy and clarity.  <\/p>\n\n\n\n

IDC research found that 57% of CIOs consider clearly defined business use cases the top success factor for adopting AI agents. Without this clarity, these tools risk becoming fragmented experiments that introduce more complexity than value. <\/p>\n\n\n\n

\u201cThis is not just a tech decision,\u201d Norton said. \u201cThese agents must tie directly to business outcomes and security priorities.\u201d <\/p>\n\n\n\n

The most successful organizations share several things in common: <\/p>\n\n\n\n

    \n
  • \nThey define outcomes first<\/strong>. Whether it is filtering false positives, proposing secure code fixes, or automating triage, every use of agentic AI starts with a purpose. <\/li>\n<\/ul>\n\n\n\n
      \n
    • \nThey embed AI into daily workflows. <\/strong>These tools live where the work happens, inside developer environments and integrated into CI pipelines. <\/li>\n<\/ul>\n\n\n\n
        \n
      • \nThey establish visibility and control. <\/strong>Application security teams need transparency into how AI agents work in order to build trust. <\/li>\n<\/ul>\n\n\n\n
          \n
        • \nThey build culture to support the change.<\/strong> New technology cannot thrive without cultural readiness. Change management, ethical frameworks, and clear governance matter as much as the tech itself. <\/li>\n<\/ul>\n\n\n\n

          As Norton put it, \u201cAgentic AI offers a practical way to embed security. Not just by providing alerts, but by taking action.\u201d <\/p>\n\n\n\n

          Watch the Full Session <\/h2>\n\n\n\n