OX Report: AI-Generated Code Violates Engineering Best Practices, Undermining Software Security at Scale

OX Security’s Analysis of 300+ Repositories Details 10 Critical Anti-Patterns and “Army of Juniors” Effect at Root of Cybersecurity Crisis

OX Security released a comprehensive research report revealing that AI coding tools are creating an “Army of Juniors” effect in software development – behaving like talented, fast and functional junior developers, yet fundamentally undermining software security at scale due to a lack of architectural judgment and security awareness. The study, which analyzed over 300 open-source repositories, identifies 10 critical anti-patterns that systematically violate established software engineering best practices. It also details the prevalence of each anti-pattern, with many issues showing up in the vast majority of AI-generated code.

Researchers found that while AI-generated code doesn’t contain more vulnerabilities per line than human code, the current security crisis stems from what researchers call being “insecure by dumbness” – non-technical users deploying applications built with AI tools at unprecedented velocity, without corresponding security expertise.

“Functional applications can now be built faster than humans can properly evaluate them,” said Eyal Paz, VP of Research at OX Security. “The problem isn’t that AI writes worse code, it’s that vulnerable systems now reach production at unprecedented speed, and proper code review simply cannot scale to match the new output velocity.”

Also Read: AiThority Interview with Jonathan Kershaw, Director of Product Management, Vonage

The study identified 10 Critical Anti-Patterns, systematic behaviors that directly contradict decades of software engineering best practices:

• Comments Everywhere (found in 90-100% of AI-generated code): Excessive inline commenting dramatically increases computational burden and makes code harder to check
• By-The-Book Fixation (found in 80-90% of AI-generated code): Rigidly follows conventional rules, missing opportunities for more innovative, improved solutions
• Over-Specification (found in 80-90% of AI-generated code): Creates hyper-specific, single-use solutions instead of generalizable, reusable components
• Avoidance of Refactors (found in 80-90% of AI-generated code): Generates functional code for immediate prompts but never refactors or architecturally improves existing code
• Bugs Déjà-Vu (found in 70-80% of AI-generated code): Violates code reuse principles, causing identical bugs to recur throughout codebases, requiring redundant fixes
• “Worked on My Machine” Syndrome (found in 60-70% of AI-generated code): Lacks deployment environment awareness, generating code that runs locally but fails in production
• Return of Monoliths (found in 40-50% of AI-generated code): Defaults to tightly-coupled monolithic architectures, reversing decade-long progress toward microservices
• Fake Test Coverage (found in 40-50% of AI-generated code): Inflates coverage metrics with meaningless tests rather than validating logic
• Vanilla Style (found in 40-50% of AI-generated code): Reimplements from scratch instead of using established libraries, SDKs, or proven solutions
• Phantom Bugs (found in 20-30% of AI-generated code): Over-engineers for improbable edge cases, causing performance degradation and resource waste

The research identifies critical action items:

• Abandon code review as primary security: It cannot scale with AI output velocity
• Role transformation: Position AI for implementation while humans focus on architecture and security oversight
• Embed security in workflows: Build security instruction sets directly into AI coding processes
• Adopt AI-native security: Traditional tools designed for human development pace cannot match AI velocity

“This report does an excellent job covering the emerging risks of AI-generated code,” according to independent industry analyst James Berthoty. “Many of these issues are shipping short-term features without long-term considerations, which is exactly how the most severe security vulnerabilities are introduced.”

[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]