FREE PLAYBOOK FOR ENGINEERING LEADERS

Shipping Secure Code at AI Velocity

Why 45% of AI-generated code fails security tests — and the eight engineering controls that close the gap before your next incident.

The eight controls that make up a defence-in-depth stack for AI velocity — in the order the stack lays them down
The named 2025–2026 attack behind each control — from the s1ngularity/Nx agent hijack to EchoLeak zero-click exfiltration
Where your org sits on the Fortify maturity ladder, and the two controls that would cut your blast radius first
No spam. Unsubscribe anytime.
Shipping Secure Code at AI Velocity
PDF · ~18 PAGES · 8 CONTROLS
Get the playbook.

The eight controls that stop AI-generated security failures — organised by the attack each one blocks. Free, in one sitting.

Your role
Country
WHY THIS PLAYBOOK EXISTS

AI didn't make your code a little less secure. It made insecure code cheap to produce.

In August 2025, a poisoned build tool turned developers' own AI coding agents into an exfiltration engine — 2,349 secrets pulled from 1,079 machines in hours (s1ngularity/Nx). That is not a fluke; it is what AI velocity does to a security review built for human-pace code.

45%

of AI-generated code introduces a security flaw

VERACODE 2025
72%

failure rate for AI-generated Java

VERACODE 2025
80%

of developers bypass their org's AI security policies

SNYK 2025
WHAT'S INSIDE

Eight controls. One attack each.

01

Trust-boundary separation

EchoLeak (CVE-2025-32711, CVSS 9.3) achieved zero-click data exfiltration from a single email. The control: untrusted content can never trigger a privileged action, plus a hidden-Unicode scan on rule files.

02

Dependency allowlist + slopsquat gate

AI hallucinates package names ~20% of the time, and 43% recur deterministically (USENIX 2025). The control: registry, age and reputation checks that block any package under 30 days old.

03

MCP & extension governance

postmark-mcp v1.0.16 BCC'd every email to an attacker across ~300 orgs; WhiteCobra drained $500K via 24 malicious VS Code extensions. The control: pin, allowlist and integrity-check every server and extension.

04

Authority limits on agents

The s1ngularity/Nx script ran agents with --dangerously-skip-permissions to harvest 2,349 secrets. The control: least privilege by default, no skip-permission flags near credentials, post-install scripts disabled in CI.

05

Scan at AI velocity

The 45% failure rate does not improve with newer models (Veracode 2025). The control: SAST/DAST/SCA/IAST inside the PR loop, sub-minute, with AI-specific rules — because a 30-minute scan gets merged past.

06

Provenance + secrets hygiene

AI-assisted commits leak secrets at 3.2%, roughly twice baseline (GitGuardian 2026). The control: commit-time AI tagging, SBOM/AIBOM/PBOM, and blocking — never advisory — secret scanning.

07

Compliance as code

Since 1 Jan 2026, carriers exclude many generative-AI claims and now demand governance evidence to insure the rest. The control: policy-as-code gates and immutable, tamper-evident audit trails.

08

Closed-loop remediation

The same class of flaw ships twice when nothing learns from the first. The control: AI triage by exploitability, and every confirmed vulnerability writes a new anti-pattern back into the AGENTS.md the agents read next.

THE ATTACK THAT WEAPONISED YOUR OWN AI AGENTS

s1ngularity / Nx — 26 August 2025

An attacker stole a publish token for Nx, a widely used JavaScript build tool, and pushed malicious versions to npm. Each carried a post-install script that invoked the developer's own installed AI CLIs — Claude, Gemini, Amazon Q — with --dangerously-skip-permissions, and told them to crawl the filesystem for credentials. Within hours, 2,349 distinct secrets were harvested from 1,079 developer machines and exfiltrated using the victims' own gh CLI. The defence: the Nx script needed two things — the agents' permissions turned off, and the right to run on install. Least privilege by default plus --ignore-scripts in CI removes either, and the attack fails.

THE DEFENCE — AUTHORITY LIMITS + SCAN AT AI VELOCITY (FORTIFY F1)
THE DEFENCE-IN-DEPTH STACK — READ FROM THE OUTER BOUNDARY IN
01

Trust-boundary separation

Stops prompt-injection RCE — EchoLeak, CurXecute, Rules File Backdoor · F3

02

Dependency allowlist + slopsquat gate

Stops the poisoned supply chain — slopsquatting, huggingface-cli · F3

03

MCP & extension governance

Stops malicious tooling — Postmark-MCP, WhiteCobra · F3

04

Authority limits on agents

Stops weaponised agents — s1ngularity/Nx, Replit · F1

05

Scan at AI velocity

Stops the 45% failure rate — Veracode · F1

06

Provenance + secrets hygiene

Stops secret sprawl & copyleft contamination — GitGuardian, Copilot · F2

07

Compliance as code

Stops un-provable governance at audit / insurance renewal · F4

08

Closed-loop remediation

Stops recurrence — the same flaw shipping twice · F5

Controls 1–3 keep bad input and dependencies out; 4 caps what a compromised agent can do; 5 catches what still slips into code; 6 records it; 7 proves it to an outsider; 8 feeds every failure back so it does not recur.

THE CLOCK YOU CAN'T SEE — LIABILITY & INSURANCE

Since 1 January 2026, Verisk's CG 40 47 / CG 40 48 endorsements let carriers broadly exclude generative-AI claims from general-liability cover, with AIG, W.R. Berkley and Great American filing exclusions across D&O, E&O, EPLI and CGL. The carriers still writing coverage now demand proof of governance — AIBOMs, human-in-the-loop logs, red-team evidence — to price it. Control 6 (provenance) and control 7 (compliance-as-code) are exactly that evidence: build them for security and you already hold what keeps your coverage intact.

THE ONE MOVE

The agent had root, the post-install script had the agent, and your credentials went out the front door — signed with your own CLI. One control is a patch; eight controls, ordered by depth and closing a loop, are a pipeline. AI velocity is survivable only as a pipeline.

WHO IT'S FOR

Read this if you're a leader who…

…just watched an AI agent, a poisoned dependency, or a leaked secret do something in your repo that no one authorised.

…can't answer "what is our AI actually allowed to touch, and what stops it exfiltrating a credential?"

…run security review at human pace on code that now ships at machine pace, and feel the gap widening.

…need the two controls that cut your blast radius first — before the incident that proves you needed them, not after.

It best serves the earliest Fortify archetypes — The Blind Shippers (0–20) and The Manual Checkers (21–40) — where the controls deliver the fastest reduction in blast radius.

THE AUTHOR

CRAFT Method wasn't designed in a boardroom. It was forged in production.

It was forged by building production software with AI, every day, for months. FIKR Space — eleven integrated products, built solo plus AI — is the live proof point.

LUIS GONÇALVESCREATOR OF CRAFT METHOD
THE WINDOW

EU AI Act high-risk obligations enforceable

2 AUG 2026

Article 12 logging is architectural, not retrofittable. If it isn't built in, it isn't there when the audit arrives.

Insurance exclusions for generative-AI claims live

1 JAN 2026

The financial backstop for AI-introduced defects is narrowing. The liability is moving onto the balance sheet.

The decision is yours. The clock is not.

QUESTIONS, ANSWERED

Before you ask.

Is this really free?

Yes. The Fortify Playbook is a free download in exchange for your email. You'll get the PDF instantly and the occasional field note — unsubscribe anytime, and we never share your email.

How is this different from a compliance checklist?

It is organised by attack, not by regulation. Every section opens with a named, dated incident that already happened — s1ngularity/Nx, EchoLeak, Postmark-MCP — then the engineering control that would have stopped it. It tells you what an attacker does and what defeats them, not what a clause requires.

Is CRAFT Method tied to a specific AI tool?

No. CRAFT Method is tool-agnostic. The eight controls govern any AI coding assistant — Claude, Copilot, Cursor, or whatever ships next — because the attacks target the pipeline, not the vendor.

What's the Enterprise Diagnostic?

125 questions across all five CRAFT practices, plus a 30-minute live debrief with Luis Gonçalves — including your Fortify score and the top two controls to fix first. Listed at €1,500–2,000; free during the 2026 launch period, limited capacity.