Vibe Coding and Security
Shipping without guardrails can cost more than you think
Over the last 15+ years, I have built software applications for enterprises and startups. I learned that the cost of security is much more than what one might think. It varies for each app. For example, in one app it might be exposing your users’ data. For another, it’s causing financial loss for your users; for yet another, it’s a loss for the creator of the app; sometimes, it’s all of these. Reputation is certainly the highest cost you pay in all these scenarios. In more serious cases, one might end up in jail for exposing users’ data; this happens mainly for banking applications where they have strict compliance rules.
If you have built applications manually, you will have a clear idea of what you are doing even if you are taking help from AI coding tools; but if you are a pure vibe coder, you need to be extra careful of what you are doing. You can take help from others to audit your software. Ask your friends to test the app for its functionality; request verified security experts to look for unintended data exposure; if required, you can also read about compliance requirements for the industry you are building the app for. You should also be cognisant of the fact that there are security auditing tools that are again vibe coded.
Recently, the Tea App, which was presumably vibe coded, exposed the images of thousands of its users. The fact that they prioritised shipping fast and virality over privacy shows how bad mindless vibe coding can be for both the users and the creators of the app.
I am not against vibe coding but responsibility in the form of utmost security should be etched into the process of vibe coding. Vibe coders also need to understand that security concerns differ from one tech stack to another. There’s no one-size-fits-all understanding for whatever tech stack you use. Moreover, the context one gives to an AI coding editor through prompts is very important. Sometimes, vibe coders themselves lack the understanding of the architecture of the app and the user flow. By understanding and addressing these security implications, one can ship ten times faster yet prevent unforeseen disasters in the future.
Fast is good but fast and responsible is better.
Thanks for writing this, it clarifies a lot. Given the rise of AI coding tools, do you think 'vibe security' is the next big risk? Really insightful points, Shelly!