Black Duck Software, this week at the Black Hat USA 2025 conference, revealed it has now integrated its artificial intelligence (AI) tool for securing software, dubbed Black Duck Assist, into the company’s plug-in for integrated developer environments (IDEs).

In addition to IDEs such as Eclipse, IntelliJ, and Visual Studio, Code Sight is now available for AI code editors such as Cursor and Windsurf to ensure code being generated by AI coding tools is also free of common vulnerabilities. It also provides vulnerability summaries and code analysis without requiring application developers to switch to a different tool.

Black Duck Assist also now supports natural language queries in both the IDE and in the Polaris application security platform. Previously, Black Duck Assist was only available via the Polaris platform.

Patrick Carey, executive director for marketing strategy for Black Duck Software, said extending the reach of Black Duck Assist to the IDE will make it easier for application developers to write more secure code as it is being written, using suggestions to fix code generated in real time by an AI assistant that also surfaces potential intellectual property (IP) violations.

That’s critical when relying on AI tools to write code, because there needs to be an AI assistant that validates the quality of the code being written, that is not based on the same large language model (LLM) being relied on to create the code in the first place. Otherwise, it becomes less likely that an AI assistant would discover a vulnerability if both the coding tool and security assistant are based on the same LLM, noted Carey.

The quality of the code being generated can also vary widely depending on the LLM use and the level of prompt engineering expertise of the individual developers, he added. That issue may become even more problematic as more so-called citizen developers use AI tools to generate code. Few professional developers have the level of cybersecurity expertise required to identify vulnerabilities in code, so the odds that amateur developers using vibecoding tools will be able to identify these issues is slim to none.

Rather than acquiring additional tools and platforms to address that issue, Black Duck Software is making a case for using a set of tools and platforms that many DevSecOps teams have already invested in, said Carey.

It’s not clear how widely organizations are relying on AI tools to create code, but usage is now pervasive. The challenge is that as the volume of code being generated continues to increase, so too does the potential number of vulnerabilities that might be inadvertently included. As a result, it may yet be a while before the overall quality of the code being created improves once AI tools start to be trained on code that has been vetted for vulnerabilities.

In the meantime, however, there is no going back. The pace at which applications are developed and deployed is going to steadily increase. The challenge is to find ways to review the code used to create those applications as early as possible. After all, the easiest vulnerability to remediate is the one that was never created in the first place.