Safeguard
Industry Analysis

How AI Code Generation Is Changing the Shape of the OWASP...

AI coding assistants are quietly reshuffling the OWASP Top Ten, elevating software supply chain risk and reviving old injection bugs at machine speed.

Safeguard Research Team
Research
Updated 7 min read

A developer asks an AI assistant to write a login endpoint. Eleven seconds later, the code compiles, the tests pass, and the pull request is open. Somewhere in those eleven seconds, the model may have also concatenated a raw SQL string, hardcoded a JWT secret, or imported a package that does not exist on any registry. This is not a hypothetical: a 2021 NYU/Columbia study of GitHub Copilot found vulnerable code in roughly 40% of completions across 89 security-relevant scenarios, and a 2025 Veracode analysis of over 100 large language models found that nearly half of AI-generated code samples failed basic security tests. OWASP is responding. Its 2025 Top Ten refresh reorders and renames categories to reflect where risk is actually concentrating in AI-assisted codebases. Here is what is changing, why, and what to do about it.

What's Actually Changing in the OWASP Top Ten Right Now?

The headline change is that "Vulnerable and Outdated Components" — a category about libraries humans forgot to patch — has been replaced and elevated as "Software Supply Chain Failures," now sitting at A03 in the 2025 draft, up from A06 in 2021. OWASP has also folded Server-Side Request Forgery into Broken Access Control and added a new category, "Mishandling of Exceptional Conditions," addressing the sloppy error handling that shows up constantly in generated code (unhandled exceptions that leak stack traces, swallowed errors that mask failed authorization checks). None of this happened in a vacuum. The OWASP Top Ten has always been a lagging indicator of how software actually gets built, and in 2021 almost none of it was built by autocomplete. By the time the working group convened for the 2025 revision, GitHub was reporting that AI suggested code in the majority of files touched by Copilot users, and Google's CEO told investors in late 2024 that more than a quarter of new code at the company was AI-generated. The list is being redrawn around a codebase that increasingly nobody typed by hand.

Why Do AI Coding Assistants Keep Reintroducing Classic Injection Bugs?

They keep reintroducing them because models are trained to produce statistically plausible code, not verified-safe code, and plausible code is disproportionately drawn from a training corpus full of the exact patterns OWASP has been warning about since 2003. Injection (A03 in 2021, folded into a broader A05 in the 2025 draft) is the clearest case. A 2023 Stanford study led by Neil Perry and Dan Boneh found that developers using an AI code assistant wrote significantly less secure code for tasks like string encryption and SQL query construction than a control group — and were more likely to believe their insecure code was safe. That last part matters as much as the vulnerability itself: the model's fluency creates false confidence, so the human review step that used to catch a sloppy query gets waved through. Veracode's 2025 GenAI Code Security Report backs this up with scale: across tens of thousands of generated samples, models defended against cross-site scripting correctly less than half the time, and Java completions were the least secure of any language tested, failing security checks in roughly 70% of cases. The model is not making a new kind of mistake. It is making 2003's mistakes at 2026's velocity.

Why Did "Vulnerable and Outdated Components" Become "Software Supply Chain Failures"?

It changed name and moved up because the risk shifted from components that are old to components that are fake. Outdated dependencies are still a problem, but AI coding assistants introduced a new failure mode researchers now call "package hallucination" or "slopsquatting": a model confidently recommends a package name that sounds right but was never published. A widely cited 2024 academic study ("We Have a Package for You!") tested 16 popular code-generating LLMs across more than 576,000 code samples and found that roughly 19.7% of the 2.23 million package references generated were hallucinated — with open-source models hallucinating at rates above 20% and even commercial models sitting in the mid single digits. Attackers do not need to guess at zero-days when they can just watch which nonexistent package names an LLM repeats most often, register those names on npm or PyPI, and wait for a developer's AI assistant to suggest the same hallucinated import again. The Python Software Foundation flagged slopsquatting as an active concern in 2025 precisely because the same hallucinated names tend to recur across independent runs of the same model, making them predictable targets. That is a supply chain failure mode that did not meaningfully exist when the 2021 Top Ten was written, and it is why OWASP gave the category a new name and a higher spot.

Is AI-Generated Code Making Insecure Design Worse?

Yes, largely because AI accelerates the writing of code faster than teams have adapted their review and architecture practices to catch design-level flaws. Insecure Design (A04 in 2021) is not about a single bad line — it is about a system built without threat modeling, without rate limiting, without a plan for what happens when an assumption breaks. GitClear's 2024 analysis of over 150 million changed lines of code found that copy-pasted code had overtaken refactored code for the first time in the four years it had been tracking the metric, and that code churn — lines reverted or rewritten within two weeks of being written — was rising in step with AI tool adoption. That pattern is consistent with developers accepting large blocks of suggested code without integrating them into a coherent design, which is exactly how broken access control patterns (still A01, and still the single most reported category in real-world testing) slip past review: the AI-suggested endpoint looks complete, so nobody asks whether it checks the caller's tenant ID before returning data. Insecure design does not show up in a static scan. It shows up in production, which is precisely why it keeps climbing relative to more mechanical flaws that scanners already catch.

How Fast Is This Problem Actually Scaling?

Fast enough that the volume of AI-authored code is now outpacing the industry's ability to review it, based on adoption figures from the last two years alone. Stack Overflow's 2024 developer survey found roughly 76% of respondents were using or planning to use AI tools in their development process, up from 70% the year before, and GitHub reported in 2024 that Copilot had over 1.3 million paid individual subscribers plus enterprise seats spanning tens of thousands of organizations. Every one of those seats is a code-generation endpoint that did not exist when the 2021 Top Ten was ratified. Meanwhile, the average time-to-merge for AI-assisted pull requests has been shown in internal engineering studies to drop noticeably compared to hand-written ones, which compresses the window available for security review without a corresponding increase in reviewer headcount. The result is a widening gap: more code, generated faster, reviewed by the same number of humans, feeding into a dependency graph that a hallucinating model helped populate. OWASP's 2025 restructuring is an attempt to name that gap before it becomes the default explanation in postmortems rather than a footnote in them.

How Safeguard Helps

Safeguard is built for exactly this shift: a world where the riskiest line in your codebase might have been written by a model instead of a person, and where the fastest-growing threat category is a supply chain failure rather than a hand-typed bug. Safeguard's software composition and provenance checks catch hallucinated and typosquatted package references before they land in a lockfile, closing the slopsquatting gap that the 2025 OWASP refresh now calls out by name. Its SAST and secret-scanning layers are tuned against the specific patterns AI assistants reproduce most often — string-built queries, hardcoded credentials, missing authorization checks on generated endpoints — so the review step that human confidence tends to skip still happens, automatically, on every commit. And because Safeguard maps findings back to OWASP Top Ten and CWE categories, security and engineering teams get a shared vocabulary for triaging AI-generated risk instead of relitigating whether a model-written function counts as "real" code that needs review. As the Top Ten keeps being redrawn around how software actually gets built in 2026, Safeguard's job is to make sure your pipeline catches the new shape of the risk, not just the old one.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.