Free tools. Get free credits everyday!

Cliptics Logo
Home

"AI Coding Tools: Better Software or Worse? | Cliptics"

Olivia Williams

Code editor split screen showing AI generated code with green highlights and security vulnerability warnings with red highlights in a dark theme IDE

Every developer I know is using AI coding tools now. Copilot, Cursor, Claude Code, Cody, you name it. The productivity boost is real. But so is a growing pile of evidence that AI generated code ships with serious security problems nobody wants to talk about.

So which is it? Are these tools making us better engineers, or are we building the most vulnerable software in computing history?

I spent the last few months digging into research papers, production incident reports, and real security audit data to find out. The answer is more complicated than either side wants to admit.

The Productivity Numbers Are Staggering

Let me start with what's undeniably true. AI coding tools make developers faster. A lot faster.

GitHub's own research showed developers using Copilot completed tasks 55% faster than those coding without it. That's not a marginal improvement. That's a fundamental shift in how fast software gets built.

And it's not just speed. Developers report writing more complete test suites because the AI handles the boilerplate. Junior developers ramp up faster because they can learn patterns from AI suggestions instead of spending hours reading documentation. Teams ship features that would have taken weeks in a matter of days.

I've seen this firsthand. Tasks that used to require thirty minutes of Stack Overflow searching and documentation reading now take two minutes of prompting. The cognitive load reduction is massive. You spend less time remembering syntax and more time thinking about architecture and logic.

But here's where it gets interesting. Speed and quality aren't the same thing.

The Security Data Nobody Wants to Hear

A Stanford study from 2024 found that developers using AI coding assistants produced significantly more security vulnerabilities than those coding manually. Not slightly more. Significantly more.

The researchers watched participants complete coding tasks with and without AI assistance. The AI group wrote code with more SQL injection vulnerabilities, more cross site scripting holes, more buffer overflows. And here's the kicker: the developers using AI tools rated their code as more secure than the manual group did.

They were more confident and more wrong at the same time.

This makes sense when you think about how these tools work. Large language models trained on public code repositories are learning from all the code on GitHub. Including the enormous amount of insecure code that exists there. The model doesn't distinguish between a secure setup and a vulnerable one. It predicts what code looks likely given the context.

Snyk's 2025 security report found that AI generated code contained known vulnerability patterns at roughly three times the rate of human written code in the same organizations. Three times. That's not a rounding error.

The Vibe Coding Problem

Then there's what people are calling vibe coding. Developers prompting an AI to generate entire applications without deeply understanding the code being produced. Just vibing with it until it works.

I get the appeal. You describe what you want, the AI writes it, you test it, ship it. The feedback loop is incredibly tight and honestly kind of addictive.

But vibe coded applications have a specific failure mode. They work perfectly for the happy path and fall apart catastrophically for edge cases. The developer didn't write the error handling, doesn't fully understand the data flow, and can't debug the failure modes because they never built the mental model of how the code actually works.

I talked to a security consultant who audited three startups that built their MVPs almost entirely with AI assistance. All three had critical authentication bypasses. Not obscure theoretical vulnerabilities. Actual authentication bypasses that would have let anyone access any user's data.

The pattern was the same each time. The AI generated reasonable looking auth code. The developers tested the login flow, it worked, they moved on. Nobody checked the edge cases because nobody fully understood the setup they shipped.

Where AI Coding Tools Actually Excel

Okay, so I've been pretty critical. But I'm not in the camp that says these tools are net negative. They're genuinely great at specific things.

Test generation is probably the biggest win. Writing unit tests is tedious work that developers skip all the time. AI tools generate comprehensive test suites from existing code, and the quality is consistently decent. More test coverage means more bugs caught before production. That's an unambiguous security improvement.

Code review assistance is another legitimate strength. Tools like CodeRabbit and Cursor's review features catch patterns that humans miss because humans get tired and bored during reviews. The AI doesn't get tired. It checks every line with the same attention.

Documentation is another area where AI shines. Well documented code is more maintainable and more secure because other developers can actually understand what it does. AI tools generate documentation that's at least reasonable, which is infinitely better than the no documentation that most codebases have.

And refactoring. AI tools are excellent at mechanical refactoring tasks. Renaming variables, extracting functions, converting between patterns. These aren't glamorous tasks but they make codebases more maintainable, which indirectly improves security.

The Real Problem Isn't the Tools

Here's what I keep coming back to. The vulnerability isn't in the AI. It's in how we're using it.

When a developer uses Copilot to autocomplete a function and then reviews the output carefully, understands what it does, and validates the security properties, the result is fine. Often better than fine, because the AI suggested a pattern the developer might not have known about.

When a developer accepts every suggestion without reading it, or prompts an AI to generate an entire authentication system and ships it without a security review, that's a process failure. The tool didn't create the vulnerability. The workflow did.

The organizations getting the best results from AI coding tools are the ones that updated their security practices alongside their tooling. They added AI specific items to their code review checklists. They run static analysis tools like SonarQube and Snyk on every pull request, regardless of whether a human or AI wrote the code. They treat AI generated code with the same scrutiny as code from a new junior developer: probably fine, but verify everything.

The organizations having security nightmares are the ones that adopted AI tools without changing anything else. Same review process, same testing requirements, same security checks. Except now the code is being written five times faster, which means five times more code flowing through a pipeline that was already struggling to catch human written vulnerabilities.

What the Data Actually Suggests

If you look at the aggregate data across organizations that have been using AI coding tools for more than a year, a pattern emerges.

Bug density per line of code is roughly similar between AI assisted and manually written code. But because developers produce significantly more code with AI assistance, the total number of bugs increases. The rate is the same but the volume is higher.

Security vulnerability severity is where the real difference shows up. AI generated vulnerabilities tend to be more basic and more detectable by automated tools. Human written vulnerabilities tend to be more subtle and harder to catch. This means organizations with good automated security scanning actually benefit from AI coding tools because the vulnerability types are easier for their existing tools to catch.

Organizations without automated security scanning get hit harder because they're now producing more code with more vulnerabilities and their manual review process can't keep up with the volume.

Where This Is Heading

The AI coding tool vendors know about the security problem. GitHub added security focused suggestions to Copilot. Cursor integrates with security linters. Anthropic's Claude specifically refuses to generate certain categories of dangerous code.

But the fundamental tension remains. These tools optimize for code that works, not code that's secure. Those are different things. Code can pass all tests and still have critical security flaws.

The next evolution is probably AI tools that are specifically trained on secure coding patterns and that flag potential vulnerabilities in real time as they generate code. Some early versions of this exist, but they're not mature yet.

My prediction is that within two years, the security gap between AI assisted and manually written code will close significantly. Not because the AI gets dramatically better at security, but because the toolchain around AI generated code will mature. Better static analysis, better runtime monitoring, better automated security testing.

The Bottom Line

AI coding tools are making software development faster. They're making some categories of software better, particularly in areas like test coverage and documentation. But they're also introducing security vulnerabilities at a rate that should concern anyone shipping production software.

The answer isn't to stop using these tools. That ship has sailed. The answer is to treat AI generated code the way you'd treat code from any untrusted source: verify it, test it, scan it, and never assume it's secure just because it works.

The developers and teams who figure this out will build better software faster than anyone in history. The ones who don't will build the most vulnerable software in history. Same tools, completely different outcomes.

It's not the AI that determines which camp you end up in. It's your process.