Bad Vibes: Comparing the Secure Coding Capabilities of Popular Coding Agents (blog.tenzai.com)

A recent analysis compared the secure coding capabilities of five popular coding agents—Cursor, Claude Code, OpenAI Codex, Replit, and Devin—focusing on their effectiveness in writing secure software. Despite their advantages in rapid development, the findings highlighted significant security vulnerabilities in applications generated by these AI tools. The analysis involved building identical applications with each agent and examining them for vulnerabilities using Tenzai’s assessment tool, uncovering 69 vulnerabilities across various classes. The study revealed that while coding agents excelled at preventing established vulnerabilities like SQL injection and XSS, they struggled with more complex issues, particularly authorization and business logic flaws. For instance, agents often mishandled complex authorization checks, allowing unauthorized access to API functions and critical operations. Moreover, none of the agents implemented essential security controls, such as CSRF protection or security headers, without explicit prompt guidance. The results underscore the need for vigilance in utilizing coding agents, as developers may still face significant security risks, requiring a deeper understanding of potential pitfalls to mitigate vulnerabilities effectively.