security review is becoming an afterthought in ai-driven development
Posted by minimal-salt@reddit | ExperiencedDevs | View on Reddit | 15 comments
half my team has been relying heavily on claude for coding and honestly they started skipping manual security checks when the generated code "looked clean" and passed basic tests.
last month we deployed a nextjs app where one teammate had claude generate the auth endpoints. everything worked perfectly in dev and staging. three weeks later discovered it had a subtle sql injection vulnerability in the user search function. claude wrote syntactically correct code that sanitized most inputs but missed one edge case.
made me realize the team was trusting ai output too much without proper validation. talked with them about improving our workflow and code quality. implemented three steps:
- review with claude for minimum 30-60 minutes on the latest code they wrote
- use gpt-5 at cursor or warp to double-check architecture and catch missing pieces
- before pushing pr, scan code with coderabbit cli or vscode extension
it's improved our code quality significantly. the scary part was how confident claude sounded when explaining security implementations to them, making it easy to assume everything was bulletproof
questions for the community:
- do you do separate security reviews for ai-generated code?
- any tools or processes you use to validate ai security implementations?
- has anyone else seen similar "looks secure but isn't" issues on their teams?
want to know how others are handling this balance between ai productivity and actual security
InAppropriate-meal@reddit
You should not be using ai to code anyway, whats so wrong with your team they can not code themselves?
Rymasq@reddit
nothing wrong with using AI to code. A lot wrong with not having code linters, quality scans, and vulnerability scans.
Tokipudi@reddit
Because no good developer has ever missed any edge cases. Ever. This obviously would never have happened without AIs. The fact that no dev caught this issue during code review is not the problem here.
/s
Beneficial-Ad-104@reddit
Also why are you even sanitising inputs? We have had query parameters for millennia
forgottenHedgehog@reddit
People write query languages. Instead of parsing it to an AST and then validating and converting it into SQL expression, they take shortcuts and just do odd regexes.
onafoggynight@reddit
This is the real issue. Any sane framework / architecture should default to that.
liitle-mouse-lion@reddit
The developer, the unit tests, QA, the stakeholder, they all missed it. A tale as old as time
Esseratecades@reddit
All code is subject to the same review, scan, and approval processes, AI generated or not. If you start breaking the rules or making exceptions or excuses for AI you'll have lots of quickly written code that nobody knows enough about to actually maintain.
onafoggynight@reddit
The real wtf: why is SQL injection still a thing in 2025. That's not a failing particular to AI, but an architectural defect.
For god's sake, stop concatenating strings / dynamically composing sql, and use parameterized queries as bare minimum.
Any dynamic SQL should raise red flags, be picked up by tooling, and double checked.
Any case that is not deliberately documented, should be an auto reject during review, no matter if written by AI or a human.
mybuildabear@reddit
I use AI generated code only for writing tests. Excluding frontend code, which I don't write, I don't understand the use-case for using AI to write business logic.
Are you guys pushing enough code every week to have a measurable productivity increase using AI? It requires significantly more time to review the code AI has written, wouldn't you just be better of writing it yourself?
belatuk@reddit
The problem will only get worse as the team depends more and more on AI, diminishing their skills in picking up these types of issues. If they have no vested interest in understanding the code, no amount of processes or tools can help. Code review becomes just going through the motion.
Shookfr@reddit
It always was
-TRlNlTY-@reddit
Honestly, I kind of gave up letting an LLM have free reign over writing code, because it deviates a lot from what I expect, and I practically always go like by line to make sure there are no problems.
I do use it to create reference implementations for things I want, explore API uses, and to write stuff in well defined regions, like some types of tests, or filling some functions.
JazzlikeStranger4619@reddit
Dude.. consider ai code as fresher code. Do you have a merge review for every ai generated code?
Apprehensive_Pea_725@reddit
ai is the new copy paste, doesn't matter how hard you review the code.