Source: www.securityweek.com – Author: Kevin Townsend
Just as the smart phone made everyone a digital photographer, vibe coding will make everyone a software developer and will change the software development industry forever.
Andrej Karpathy, co-founder of OpenAI and former AI leader at Tesla, introduced the term ‘vibe coding’ in a February 2, 2025, tweet. “There’s a new kind of coding I call ‘vibe coding’, where you fully give in to the vibes, embrace exponentials, and forget that the code even exists.” He was primarily expressing an emotional response to using AI to automate a specific process; but the term took and is now universally used as the general label for AI-generated or assisted programming.
Vibe coding is a subset of context engineering. If you get the context complete and accurate, it should be possible to plot a path through the context to provide accurate coding. The context comprises the details required for the finished code. This is provided by the coder. The interface between the coder and the AI is natural language (usually English, but not necessarily).
The AI uses LLM capabilities in this interface, so vibe coding generally uses existing foundational models, such as the newer models of GPT, Claude, or Gemini Pro. Sometimes the LLMs can be integrated with specialized IDEs, such as VS Code, Cursor and Windsurf. Ultimately, however, all the problems that still affect LLMs (such as hallucinations and bias) can also affect the accuracy of vibe coding.
Vibe coding is new. Although AI has been used within programs for more than 70 years, now it can be used to generate entirely new programs. It has the potential to upend the entire software development industry; but it’s new, and like all new developments, it has its teething problems. Teething problems get sorted over time, but right now we’re still in the teething phase.
“I like to think of Generative AI in 2025 as like ‘having a website’ in 1999. It’s difficult to sort out the hype from the signal; but underneath all the noise, the reality is that it’s going to impact just about everything we do,” explains Casey Ellis, the founder of Bugcrowd
“Vibe coding is when you tell an AI, like a chatbot, what you want your software to do using regular words, and it writes the code for you,” says J Stephen Kowski, Field CTO at SlashNext. “This means you don’t need to know how to program; you just describe your idea, and the AI turns it into working software.”
But if you want complex or unique features, or if you don’t double-check the AI’s work, you might run into problems.
Advertisement. Scroll to continue reading.
Strengths and weaknesses
The biggest apparent strength is speed. “Vibe coding gives you massive acceleration when prototyping web apps, especially with simple known apps with low to moderate complexity,” explains Jonathan Rhyne, co-founder and CEO at Nutrient.
It democratizes the process of creating software. Anybody with an idea and an understanding of how the idea should work can create a working program. You no longer need to know a programming language, you merely need to know how to use AI – which itself is no mean feat.
Speed and democratization mean more code at less cost – so the real strength is the economics or vibe coding. It is here, and it must be used lest competitors gain the competitive edge.
The problem is these strengths come bearing their own weaknesses. ‘Democratization’ is a potential weakness. “There are communities and open-source projects dedicated to providing vibe coders with configuration files that can improve the efficacy of their AI tools,” explains Kaushik Devireddy, senior product manager at Deepwatch.
“Vibe coders, who may be from non-technical roles, are constantly hunting for new configuration files. The result is an opportunity for bad actors to publish and gain adoption of malicious config files. This creates a brand-new attack-vector, manifesting in the application logic layer – which is a particularly thorny area to secure.”
Speed can also be a weakness. “On the downside,” says Ellis, “AI is quite good at getting to the ‘90% OK’ solution – but the bad stuff tends to happen in the 10%. Vulnerabilities exist as a probabilistic function of the number of lines of code. We’re producing an increasingly high velocity of lines of code – and more code means more vulnerabilities. On top of this, speed is the natural enemy of quality, and security is a child of quality.”
Nicole Carignan, SVP security & AI strategy, and Field CISO at Darktrace, is also concerned that speed and ease might be at the cost of security. “Vibe coding enables non-expert professionals to develop and prototype, but the code it produces will not inherently be secure and could inject vulnerabilities into systems.”
She wonders whether the practice will create more work for security teams in code review than it saves in development or prototyping time.
Inti De Ceukelaire, chief hacker officer at crowdsourced security / bug bounty firm Intigriti confirms this combination of strengths and weaknesses in current vibe coding. “Vibe coding is helpful, but it’s not a magic fix,” he says. “I used it to build a small hacking tool in just one day, which would have taken me weeks to make on my own. It’s also been great for fixing simple bugs or creating quick prototypes. But once a project gets bigger and more complex, the AI starts making more mistakes. At that point, it can take just as long to guide and correct the AI as it would to code it myself from scratch.”
So, security teams can still benefit from vibe coding by playing to its strengths – small, individual tools focused on defined purposes that can help solve local security concerns without needing to be pretty.
For larger scale applications with a wider audience, a ‘human in the loop’ is standard advice for all interactions with AI. It offers benefits but should not be considered a solution. “The truly pernicious scenario,” suggests Sohrob Kazerounian, distinguished AI researcher at Vectra AI, “is when keeping a human in the loop leads to a false sense of security and ultimately results in an increase in failures.”
He almost suggests reversing the emphasis – rather than using a human to check and improve AI-generated code, use AI (in the form of specialist agentic AI) to check and improve human-generated code.
Working with vibe coding
Since vibe coding with all its current imperfections is here, and those imperfections will lessen over time as happens with all new technology, we need to cope with what we have and get ready for what is coming. That will be little short of a revolution for the software industry.
There are those who recognize and embrace this reality. “You can do things faster. You can be more ambitious about the things you can build, and you can build it on your own and have more fun doing it. You can do things that would have required a team, or a team of teams, of developers,” comments Gene Kim, author and former independent director at the Energy Sector Security Consortium. “There’s something so magical about that, and for me, it’s an amazing time to be alive. I’m outrageously, and I don’t think completely naively optimistic about what it does to our profession.”
That doesn’t mean that just anybody can immediately produce good code results through vibe coding. The quality of the output is directly proportional to the quality of the input prompts, explains Pukar Hamal, founder and CEO at SecurityPal.AI.
“You need to understand the basics of software development. You need to know what algorithms are and how they work, and how different lines of code work together to produce good software; and you must be able to phrase your prompt queries clearly and accurately aligned with your intended outcomes. If you can do all this, you are likely to get better code with fewer bugs.”
If you don’t understand how software fundamentally works, he continues, “Chances are, when you tell an LLM to write a lottery number generating application, it will likely be highly verbose and will potentially have 150 lines of code or more. We have a term that describes this overwhelming amount of low quality generated output that usually comes from a lack of input rigor: ‘AI slop’.”
But you don’t need to be inexperienced at coding to fall short with vibe coding. Jonathan Rende, CPO at Checkmarx, describes an internal experiment conducted by one of his heads of engineering. “He went round all the different leads in the organization, and set them a task using vibe coding. After 45 minutes he went back round. Those that understood the big picture of how certain things in vibe coding needed to fit together, did a tremendous job. Those who simply tried to apply their old methods of coding, not so much.”
These were all engineers and developers. Some embraced the future while others simply tried to repeat the past, but faster. “Those who used vibe coding as a new tool to be used in a new way will do well, but the others will become less relevant.” This is the challenge for all coders today — learn to use vibe coding as a new tool with its own rules of engagement, or fall by the wayside since there will be a smaller demand for programmers simply because of the sheer speed of vibe coding used efficiently.
We’re in this transition phase. Vibe coding still requires a lot of manual intervention to minimize the inherent problems with LLMs, such as hallucinations and bias. “There are inherent problems,” says Kim. “it’s the developer’s job to ensure the AI isn’t calling functions that don’t exist – which can happen. The same engineering skills that we’ve always used are even more important now because AI amplifies the strengths and weaknesses we already have.”
Rende agrees. “LLMs will get better over time and there will be fewer hallucinations and more automated validation.” But for now, the best way to prevent or limit hallucinations is through more accurate prompts. “The better the question, the better the response; and then being able to check and validate as best as possible. Those are the keys right now: how you ask and how you validate.”
The problem right now is AI is usually described as probabilistic, while traditional programming is deterministic. We need to shift our approach from working with probabilism rather than determinism. But change is already happening.
Sola Security has developed a SaaS platform designed to help their security customers solve their own problems – whether that’s a fast answer to a specific question or a more expansive security app that can be downloaded and customized. Its purpose is to democratize both coding and security.
“You don’t need to be the most expert security person,” explains Dor Swisa, VP R&D at Sola. “Sola will give you that knowledge about security.” And then it helps you to use vibe coding to develop a unique app tailored to your own domain.
This is perhaps one of the most exciting areas of vibe coding: it has the future potential to allow all firms to have their own uniquely tailored and integrated security apps and break free from the need to buy multiple overlapping solutions that never quite fit the requirement. This is democratization coupled with freedom of movement.
Summary
Will there be fewer coders in the vibe coding future? Yes and no. In one sense, everyone will become a developer, so there will be more. Employees will no longer be reliant on submitting a small request to engineering followed by an indefinite wait for a response — they’ll create their own code in minutes rather than waiting for weeks. This is the truly exciting element of vibe coding: power to the people.
But there will be fewer specialist or full-time professional coders working on large scale, complex apps. One person will do the work of many, faster and more efficiently. And there will be lower emphasis on the creative skills of that coder. Artistry in the coding process will become redundant. Creativity will be limited to the ideation.
Business exists to create profit, not to employ people. Creativity will be reduced to defining outcomes, while AI will perform the creation.
Today’s creators will need to make that transition or fall by the wayside. It will apply in the relatively short term to all current ‘creators’ (including programmers through vibe coding, journalists through content creation, and graphic artists through picture generation), and even baristas through the combination of robotics and AI in the longer term. This will happen through the sheer driving force of business economics. Love it or hate it, get over it. Either run with the wind or fight it and fail.
Related: The Wild West of Agentic AI – An Attack Surface CISOs Can’t Afford to Ignore
Related: Should We Trust AI? Three Approaches to AI Fallibility
Related: The Root of AI Hallucinations: Physics Theory Digs Into the ‘Attention’ Flaw
Related: Grok-4 Falls to a Jailbreak Two Days After Its Release
Original Post URL: https://www.securityweek.com/vibe-coding-when-everyones-a-developer-who-secures-the-code/
Category & Tags: Artificial Intelligence,Vulnerabilities,AI,appsec,Software,vibe coding – Artificial Intelligence,Vulnerabilities,AI,appsec,Software,vibe coding
Views: 2
