Table of Contents

An innovative methodology is emerging in the dynamic realm of software development: vibe coding. Developers are using artificial intelligence (AI) to create applications rather than using the traditional line-by-line coding process. However novel the method, though, it is still imperative to stay focused on secure coding practices.

A recent webinar, “Catch the Vibe-Line: Adding the "Sec" into Vibe Coding,” explored the evolving world of vibe coding and the accompanying risks—and why it’s vital that we understand how to secure our vibe-coded applications.

Grasping vibe coding

Employing AI tools, developers act as directors in the vibe coding methodology to craft code that meets high-level requirements and desired outcomes. A developer might write an AI prompt such as, “I want an app that does X, Y, and Z,” and then observe as the AI builds the infrastructure, logic, and user interface.

And although swift feature delivery, smooth iterations, and the elimination of monotonous boilerplate code may be a dream for developers, it is not without its pitfalls. AI's decision-making prowess can falter. Vibe coding tends to generate redundant code and can hallucinate, leading to a lot of vulnerabilities.

In a recent project, the AI fluctuated between Flask and FastAPI, rewriting entire code sections and even altering authentication methods midstream. The output required discerning oversight to prevent a disordered hodgepodge of incompatible components.

The lesson was clear: If you unquestioningly accept the AI’s output without reviewing diffs, understanding the logic, or enforcing consistency, you’re not coding—you’re gambling.
 

How is AI affecting the DevSecOps landscape? Read our Report

Security concerns in the vibe coding era

Notably, AI-generated code lacks inherent security.

AI's speed and efficiency in generating code can sometimes result in a tradeoff where security is overlooked in favor of functionality. This can result in issues such as weak password storage, improper handling of session tokens, and unvetted code snippets.

The rapid pace of vibe coding may also lead developers to skip crucial security measures. A feature that functions seamlessly might contain latent vulnerabilities—such as injection attack susceptibility, misconfigured authentication, or licensing issues stemming from code reuse.

Recognizing AI as a tool, not a substitute for secure coding practices, is essential for security professionals and developers to manage these risks. It needs guidance, oversight, and guardrails.

Best practices for secure vibe coding

To responsibly leverage AI-assisted development, the following best practices are vital to ensure security.

Shift left—even further

Integrate security into the design phase, not just as a post-production checkpoint. Train your AI with secure coding prompts and teach it what good security looks like. The earlier you embed security, the less cleanup you’ll need later.

Treat AI like a junior developer

Apply the same rigor as you would for any other developer: review the AI’s code, run static analysis, and engage in peer reviews. Recognize that AI requires oversight—it does not operate at a senior developer level.

Use traditional security tools

AI assistance, valuable as it is, isn’t a silver bullet. Utilize your existing DevSecOps pipeline, including vulnerability scanners, license checkers, penetration testing, and threat modeling. These tools and methods can catch what AI might miss.

Leverage AI for security, too

Reflect code changes by prioritizing security activities through AI. This approach lets AI pinpoint high-risk areas, such as authentication and data processing, and suggest targeted testing.

Prompt with purpose

Don’t just ask for features—ask for secure features. Include security requirements in your prompts. For example: “Build a login system using password-less authentication with secure token storage.”

The future of vibe coding

Vibe coding is a current reality, not a distant possibility. Developers across various industries are employing AI to accelerate application development. Embracing this technology requires us to proactively shape it, rather than merely respond to it.

A holistic approach to security is essential. This involves educating both developers and AI, integrating security tools into the CI/CD pipeline, and applying the same rigorous standards to all code—whether written by human or machine.

Will vibe coding replace junior developers?

While it’s unlikely to replace them, AI will certainly redefine their role. The next generation of junior developers must become adept at steering AI, creating effective prompts, and validating outputs. They will function as both coders and conductors.

Final thoughts on secure vibe coding

With great power comes great responsibility, and this is especially true for vibe coding. If we want to build fast, we must also build smart. That means prioritizing security, even when the vibes are immaculate.

For more in-depth information, watch our webinar on vibe coding. We explore how you can leverage AI to accelerate development without sacrificing security, and you’ll hear from those who’ve experienced the impact of vibe coding firsthand.
 

View Webinars

Continue Reading

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
IAST
M&A
Manage Security Risks
OSS License Compliance
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Web Application Security