GenAI Is a Junior Dev With Root Access

Generative AI has become the fastest coder on the team. It never sleeps, never complains — and it ships code at a speed we’ve never seen before. But there’s a catch: GenAI writes code the way a junior developer would… with root access and no security instincts. In this talk, we’ll break down real data from the 2025 GenAI Code Security Report, which evaluated over 100 large language models across 80 security-critical coding tasks in Java, JavaScript, C#, and Python. The results are eye-opening: 45% of AI-generated code introduced a known security vulnerability, and that number hasn’t meaningfully improved — even as models get larger and “smarter.” We’ll explore: • Why AI-generated code often looks correct but quietly fails security fundamentals • Which vulnerabilities GenAI struggles with the most (and why XSS and log injection are especially bad) • Why bigger models don’t mean safer code • Why GenAI can’t reliably reason about data flow, trust boundaries, or user-controlled input • A real-world cautionary tale: “Vibe coding” introduced complex business logic flaws that led to miscalculations and workflow errors, showing how AI can unintentionally amplify mistakes Most importantly, we’ll discuss what this means for real-world development teams using AI copilots today — and how to safely integrate GenAI into your workflow without letting it ship tomorrow’s security incidents. If you’re using AI to write code, this talk will help you understand when to trust it, when to verify it, and why “it compiled” is no longer good enough.