AI Coding Agents Keep Repeating Decade-Old Security Mistakes

The rapid adoption of AI coding agents promises unprecedented development velocity, yet the recent DryRun Security study shows that speed comes at a steep security cost. By assigning Claude Code, OpenAI Codex, and Google Gemini to build a child‑allergy tracker and a browser‑based racing game, researchers uncovered 143 distinct vulnerabilities across 30 pull requests. The findings reveal a systemic blind spot: agents default to functional correctness while neglecting essential security primitives such as access control, OAuth state parameters, and proper JWT secret handling. Traditional static analysis tools, which rely on pattern matching, failed to flag many of these logic‑level flaws, underscoring the need for more sophisticated, context‑aware scanners.

The vulnerability landscape exposed by the agents is strikingly uniform. Broken access control appeared in every PR, business‑logic failures allowed client‑side manipulation of scores and balances, and OAuth implementations consistently omitted CSRF protections. These classes of bugs are not merely technical oversights; they represent attack vectors that can be exploited at scale once code reaches production. Contextual security analysis, which maps data flows and enforces trust boundaries, identified 88 % of seeded issues in DryRun’s benchmark, dramatically outperforming regex‑based SAST solutions. This gap highlights a broader industry challenge: existing security tooling is ill‑suited to the dynamic, modular code generation patterns of AI agents.

Enterprises looking to harness AI for software development must embed security at every stage of the pipeline. Continuous pull‑request scanning, combined with full‑codebase contextual analysis, catches both incremental and systemic flaws. Moreover, incorporating security considerations during the planning phase can prevent design‑level vulnerabilities that agents otherwise propagate. As AI agents become more capable, the onus is on development teams to pair them with robust, intelligent security frameworks, ensuring that accelerated delivery does not compromise the integrity of the software ecosystem.