DEV Community: Roy Morken

AI-Generated Code Security: 87% of AI Pull Requests Have Vulnerabilities

Roy Morken — Wed, 08 Apr 2026 12:48:09 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/

GitHub Copilot Security Flaws: Why AI Code Is Insecure (2026 Data)

Roy Morken — Wed, 08 Apr 2026 12:48:06 +0000

The Research

    In 2023, researchers at Stanford published a study examining code security when developers used AI assistants. Participants with access to an AI coding tool wrote less secure code than the control group working without AI — across multiple programming tasks and languages.




    Separately, Snyk analyzed thousands of AI-generated code snippets and found security issues in approximately 80% of them. The vulnerabilities were not edge cases — they were the OWASP Top 10: SQL injection, missing authentication, insecure defaults, and unvalidated input.




    These studies independently reached the same conclusion: AI coding tools optimize for functionality, not security. The model produces code that works. Whether it&apos;s safe is a different question that the model doesn&apos;t reliably answer.


  ## What Goes Wrong

The most common vulnerability categories in AI-generated code:

    - **Missing authentication checks** — API endpoints that accept requests from anyone
    - **SQL string concatenation** — Instead of parameterized queries
    - **Hardcoded credentials** — API keys and passwords in source files
    - **Disabled security features** — CORS set to `*`, CSRF protection removed to "fix" errors
    - **Insecure randomness** — Using `Math.random()` for tokens instead of cryptographic RNG
    - **Path traversal** — File operations using user input without sanitization
    - **Verbose error messages** — Stack traces and database details exposed to users




    The pattern is consistent: the AI generates the shortest path to working code. Security measures add complexity, so the model skips them unless explicitly prompted.


  ## The Confidence Trap


    The Stanford study found something unsettling: developers who used AI assistants were *more confident* that their code was secure, despite it being less secure. The tool&apos;s fluency creates a false sense of correctness.




    When code looks clean and well-structured, reviewers spend less time examining it. AI-generated code is syntactically polished — proper formatting, reasonable variable names, complete function signatures. This surface quality masks the missing security logic underneath.


  ## How to Use Copilot Safely


    - **Add security context to every prompt.** "Write a login endpoint" produces insecure code. "Write a login endpoint with rate limiting, CSRF protection, parameterized queries, and bcrypt password hashing" produces better code.
    - **Never accept multi-line suggestions without reading.** The time saved by accepting quickly is lost many times over when you ship a vulnerability.
    - **Run automated security scanning in CI.** Tools like Semgrep, Bandit (Python), and ESLint security plugins catch common patterns before they reach production.
    - **Use pre-commit hooks for secrets detection.** Block commits containing API keys, passwords, or tokens. The [OWASP WrongSecrets](https://owasp.org/www-project-wrongsecrets/) project documents common secret patterns.
    - **Scan your deployed site regularly.** Configuration drift happens. What was secure at deploy time may not be secure after updates. Run [ismycodesafe.com](/) after every major deployment.

This article was originally published on ismycodesafe.com.

Want to check your website's security? Run a free scan

Detecting AI-Generated Code: 164 Signals and Tools (2026 Guide)

Roy Morken — Wed, 08 Apr 2026 12:48:03 +0000

Why Detection Matters

    AI-generated code and content correlate with security problems. Sites built entirely by AI tools — without human review — tend to ship with default configurations, missing security headers, exposed debug endpoints, and placeholder content that leaks information about the tech stack.




    Detection isn&apos;t about judging whether AI was used. It&apos;s about identifying patterns that indicate insufficient review. A site with Lorem Ipsum in production probably also has default admin credentials.


  ## Code Fingerprints


    - **Framework boilerplate** — Default Next.js welcome page, Create React App landing content, Vue CLI scaffolding text still present in production
    - **Console.log statements** — Debug logging left in production JavaScript bundles
    - **TODO and FIXME comments** — Visible in page source, indicating incomplete implementation
    - **Inline styles everywhere** — AI tools generate inline CSS instead of using design systems. A page with 50+ inline style attributes is a strong AI indicator.
    - **localhost references** — `http://localhost:3000` or `127.0.0.1` URLs in production code
    - **Default error messages** — "Something went wrong" or framework-default error pages with no customization
    - **Default meta tags** — "Create Next App" or "Vite App" in the page title


  ## Content Fingerprints


    - **Phrase patterns** — AI-generated text reuses specific constructions: "seamlessly integrate", "cutting-edge solution", "empowering users", "at the forefront". We detect 14 common phrase patterns.
    - **Buzzword density** — Marketing jargon concentration above normal levels: "revolutionize", "transform", "game-changing" appearing multiple times on a single page
    - **Paragraph uniformity** — Human writing varies naturally in paragraph length and sentence structure. AI-generated text produces suspiciously uniform blocks.
    - **Placeholder content** — Lorem Ipsum, example.com, John Doe, 123 Main Street, (555) 123-4567


  ## Visual Fingerprints


    - **AI-generated images** — Midjourney, DALL-E, and Stable Diffusion produce images with identifiable artifacts: inconsistent lighting, warped text, extra fingers, asymmetric features in human faces
    - **Stock photo indicators** — Watermarks, Getty/Shutterstock metadata in image files
    - **Favicon missing** — AI-built sites frequently skip the favicon, showing the browser default icon


  ## Trust Signal Gaps


    Google&apos;s quality guidelines emphasize E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness). AI-generated sites typically lack:




    - An "About" page with real people and credentials
    - A "Contact" page with a physical address or real contact method
    - A privacy policy (required by GDPR for any site collecting data)
    - Author attribution on content — who wrote this and why should you trust them?
    - Terms of service




    The absence of these pages doesn&apos;t prove AI generation, but the combination of missing trust signals with other fingerprints is a strong indicator.


  ## Automated Detection


    [ismycodesafe.com](/) runs 17 AI content detection checks as part of every scan. The checks look for phrase patterns, buzzword density, placeholder content, boilerplate detection, trust signal gaps, and visual indicators. Each finding gets a severity rating, and the combined results produce an AI Content grade from A (authentic) to F (highly likely AI-generated).




    The point isn&apos;t to penalize AI usage — it&apos;s to flag sites that shipped without adequate human review. A site that scores poorly on AI content detection almost certainly has security issues too.

This article was originally published on ismycodesafe.com.

Want to check your website's security? Run a free scan

OWASP Top 10 2025: What Changed and How to Fix Each Vulnerability

Roy Morken — Wed, 08 Apr 2026 12:48:00 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/

SQL Injection Prevention in Python and Node.js: Parameterized Queries Guide

Roy Morken — Wed, 08 Apr 2026 12:47:57 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/

XSS Prevention in React and Next.js: Stop Cross-Site Scripting Attacks

Roy Morken — Wed, 08 Apr 2026 12:47:54 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/

Web Application Security Guide for Developers: SSL, Headers, CORS, and Cookies

Roy Morken — Wed, 08 Apr 2026 12:47:51 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/

How to Configure Security Headers in Nginx, Apache, and Express (2026 Guide)

Roy Morken — Wed, 08 Apr 2026 12:47:48 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/

Let's Encrypt SSL Setup Guide: Free HTTPS Certificate in 2026

Roy Morken — Wed, 08 Apr 2026 12:47:45 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/

NIS2 Compliance Checklist for Developers: 10 Security Measures You Must Implement

Roy Morken — Wed, 08 Apr 2026 12:47:42 +0000

What Is NIS2?

    The NIS2 Directive (Directive (EU) 2022/2555) replaces the original NIS Directive from 2016. It entered into force in January 2023, with EU member states required to transpose it into national law by October 2024. It significantly expands the scope, requirements, and penalties for cybersecurity in the EU.




    Where NIS1 focused narrowly on operators of essential services and digital service providers, NIS2 covers 18 sectors and introduces two categories: "essential entities" and "important entities." The full text is available on [EUR-Lex](https://eur-lex.europa.eu/eli/dir/2022/2555).


  ## Who It Applies To

Essential entities (highest requirements):

    - Energy (electricity, oil, gas, hydrogen)
    - Transport (air, rail, water, road)
    - Banking and financial market infrastructure
    - Health (hospitals, labs, pharma, medical devices)
    - Drinking water and wastewater
    - Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
    - ICT service management (managed services, managed security services)
    - Public administration
    - Space

Important entities (slightly lower requirements):

    - Postal and courier services
    - Waste management
    - Chemical manufacturing and distribution
    - Food production and distribution
    - Manufacturing (medical devices, electronics, machinery, motor vehicles)
    - Digital providers (online marketplaces, search engines, social platforms)
    - Research organizations




    Size matters: NIS2 generally applies to medium-sized and large entities (50+ employees or €10M+ turnover). But some entities are covered regardless of size — DNS services, TLD registries, and qualified trust services, for example.


  ## Security Requirements

Article 21 lists minimum cybersecurity risk management measures:

    - Risk analysis and information system security policies
    - Incident handling (prevention, detection, response)
    - Business continuity and crisis management (backups, disaster recovery)
    - Supply chain security (security requirements for suppliers)
    - Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure)
    - Policies and procedures to assess the effectiveness of cybersecurity measures
    - Basic cyber hygiene practices and cybersecurity training
    - Policies on the use of cryptography and encryption
    - Human resources security, access control policies, and asset management
    - Multi-factor authentication (MFA) or continuous authentication solutions


  ## Incident Reporting

NIS2 introduces a three-stage reporting obligation for significant incidents:

    - **Early warning within 24 hours** — Notify the national CSIRT (Computer Security Incident Response Team) or competent authority. Include whether the incident is suspected to be caused by unlawful or malicious acts.
    - **Incident notification within 72 hours** — Update with an initial assessment: severity, impact, and indicators of compromise.
    - **Final report within one month** — Detailed description of the incident, root cause analysis, mitigation measures applied, and cross-border impact if applicable.




    A "significant incident" is one that causes or could cause severe operational disruption or financial loss, or affects other entities by causing considerable damage. [ENISA](https://www.enisa.europa.eu/topics/nis-directive) provides guidance on classification.


  ## Management Liability


    NIS2 Article 20 requires that management bodies of essential and important entities approve cybersecurity risk management measures and oversee their implementation. Management must undergo cybersecurity training.




    The directive explicitly states that management bodies can be held personally liable for non-compliance. Member states can implement measures that allow competent authorities to require specific remediation — and to temporarily ban individuals from exercising managerial functions in case of repeated violations.


  ## Penalties


      Entity TypeMaximum Fine


      Essential entities€10 million or 2% of global annual turnover
      Important entities€7 million or 1.4% of global annual turnover

National authorities can also impose periodic penalty payments, order compliance audits, issue binding instructions, and require public disclosure of non-compliance.

  ## How to Prepare


    - **Determine if NIS2 applies to you.** Check your sector and size against the categories above.
    - **Conduct a risk assessment.** Identify your critical systems, data flows, and threats.
    - **Implement Article 21 measures.** Start with MFA, encryption, backup, and vulnerability management.
    - **Establish incident response.** Create a documented plan with clear roles, communication templates, and CSIRT contact details.
    - **Audit your supply chain.** Map your suppliers and assess their security practices.
    - **Train management.** Board-level cybersecurity awareness is a legal requirement.
    - **Run regular vulnerability scans.** [ismycodesafe.com](/) covers web application security across 110 checks. Use it alongside infrastructure-level scanning tools.

This article was originally published on ismycodesafe.com.

Want to check your website's security? Run a free scan

GDPR for Developers: Practical Compliance Guide for Web Apps

Roy Morken — Wed, 08 Apr 2026 12:47:39 +0000

Does GDPR Apply to You?

    If your website has visitors from the EU/EEA and you collect any personal data, yes. "Personal data" under GDPR includes: names, email addresses, IP addresses, cookie identifiers, device fingerprints, and location data. If you run Google Analytics or set a session cookie, you&apos;re processing personal data.




    It doesn&apos;t matter where your company is based. A US company with European users must comply. The [official GDPR regulation](https://eur-lex.europa.eu/eli/reg/2016/679/oj) (Article 3) makes this explicit.


  ## Consent Management


    You need a lawful basis to process personal data. For analytics and marketing cookies, that basis is almost always consent. The requirements for valid consent:




    - Consent must be **freely given** — no "accept all or leave" dark patterns
    - Consent must be **specific** — separate toggles for analytics, marketing, functional cookies
    - Consent must be **informed** — explain what data you collect and why
    - Pre-checked boxes are **illegal** — opt-in, not opt-out
    - Withdrawing consent must be as easy as giving it
    - **No tracking before consent** — don&apos;t load Google Analytics until the user clicks "Accept"


  ## Data Minimization


    Only collect data you actually need. If your signup form asks for name, email, phone, address, date of birth, and company — but only needs email to function — you&apos;re violating data minimization.




    Audit every form field: can the feature work without this data? If yes, remove the field. Store data for the minimum time necessary. Set retention policies and automate deletion.


  ## Encryption Requirements

GDPR Article 32 requires "appropriate technical measures" to protect personal data. In practice, this means:

    - **Encryption in transit** — TLS 1.2+ on all pages. No HTTP fallback. HSTS header enabled.
    - **Encryption at rest** — Encrypt personal data in your database. Use your database&apos;s built-in encryption or application-level encryption for sensitive fields.
    - **Password hashing** — bcrypt, scrypt, or Argon2. Never MD5 or SHA-1.
    - **Key management** — Encryption keys stored separately from encrypted data. Use a key management service (AWS KMS, GCP KMS, Vault).


  ## Breach Notification


    If personal data is compromised, you have **72 hours** to notify your supervisory authority (the data protection authority in your EU member state). If the breach poses a high risk to individuals, you must also notify affected users "without undue delay."




    This means you need: breach detection capabilities (logging, monitoring, alerting), an incident response plan, and contact details for your supervisory authority. The [ICO breach reporting guidance](https://ico.org.uk/for-organisations/report-a-breach/) provides a practical template.


  ## User Rights You Must Support


    - **Right of access** (Article 15) — Users can request a copy of all data you hold about them
    - **Right to rectification** (Article 16) — Users can correct inaccurate data
    - **Right to erasure** (Article 17) — "Right to be forgotten." Delete all personal data on request.
    - **Right to data portability** (Article 20) — Provide data in a machine-readable format (JSON, CSV)
    - **Right to object** (Article 21) — Users can opt out of processing for direct marketing at any time

Build these as features. An admin panel where you can export and delete user data. An unsubscribe link that actually works. A settings page where users control their data.

  ## Privacy by Design

GDPR Article 25 requires "data protection by design and by default." Concretely:

    - Default settings should be the most privacy-friendly option
    - New features should be evaluated for privacy impact before launch
    - Access to personal data should be restricted to those who need it
    - Data should be pseudonymized where possible


  ## Developer Checklist


    - HTTPS everywhere with HSTS
    - Cookie consent banner with genuine opt-in (no pre-checked boxes)
    - No tracking scripts before consent
    - Privacy policy linked from every page
    - Data export endpoint (JSON/CSV)
    - Account deletion endpoint that removes all personal data
    - Password hashing with bcrypt/Argon2
    - Encryption at rest for sensitive database fields
    - Security logging and breach detection
    - Documented incident response procedure

This article was originally published on ismycodesafe.com.

Want to check your website's security? Run a free scan

Does Website Security Affect SEO Rankings? E-E-A-T Trust Signals Explained

Roy Morken — Wed, 08 Apr 2026 12:47:37 +0000

Liquid syntax error: Variable '{{% raw %}' was not properly terminated with regexp: /\}\}/