Vibe Coding Is Creating a Security Crisis (Here’s Why)
Vibe coding, where developers rely on AI-generated code to get things done, is enabling software development at a rapid rate. However, as hackers use AI to exploit these vulnerabilities at the same rapid rate, a challenge is emerging for developers to find the best balance between development speed and security in AI-driven software.
There’s a new way that developers are building software, without any hint of traditional software engineering. You open up an AI tool and essentially describe the software that you’d like to create. Then, you have a block of code returned to you. You tweak it a little bit, and boom, you have software that gets shipped. This is the new way that many developers are describing as “vibe coding.” And while this is significantly increasing the rate of software development, it’s also introduced a new and considerable security risk.
What Is Vibe Coding?
Vibe coding is not the same as utilizing AI to write code for you. Instead, vibe coding is when developers trust the code that is generated by AI because it “feels good,” not because they understand every single line of code. There’s no longer a process of thinking through the problems that the code will solve or the bugs that could occur within the program. Instead, developers are simply prompting the AI tool to generate code for them, then shipping it as quickly as possible.
AI-generated code typically compiles and runs smoothly. However, the code that is generated by AI tools often contains security flaws. These vulnerabilities to security risks may go undetected until the software fails in a way that exposes the application’s sensitive data.
The Lack of Scrutiny in Vibe Coding
When developers wrote their code in the past, the process typically required them to write the code, have others review the code, test the software to ensure it worked as desired by the developers, then question the code to ensure it would not pose a security risk to the software being developed.
The shift to vibe coding has removed all of that scrutiny. More code is being produced, but with less understanding of why the code was written the way that it was. Vulnerabilities that could have been caught during development are now being introduced into software releases.
AI and Attackers Both Using Vibe Coding to the Advantages of Both Sides
Another concerning development in the world of vibe coding is that AI is being used by attackers to find and exploit the vulnerabilities in AI-generated code. As developers continue to use AI to produce code at an incredible rate, those vulnerabilities are being introduced. Then, attackers use AI to find and exploit those vulnerabilities at a rate that has never been seen before.
AI-generated code typically includes vulnerabilities in the same areas over and over again. For example, there are common instances of poor input validation, exposure of API keys, poor authentication security, over-permissioned software features, and the inclusion of vulnerable dependencies in the software.
These vulnerabilities are occurring because of the way that developers are using AI tools. Because developers did not write the code themselves, they may not understand every area of the software that could potentially be vulnerable. As a result, the developers trust the code and do not question it, failing to catch the vulnerabilities.
In the past, developers wrote the code that they produced and had an intimate understanding of every line. They understood the reasons behind the bugs and errors that the software produced. Now, many developers are shipping software that they did not write and do not understand. This is significant because security is closely tied to understanding the code that is being developed and shipped.
Meanwhile, Attackers Are Also Using AI Tools to Find Vulnerabilities in AI-Generated Code
Attackers are also changing the way that they find vulnerabilities in software. AI tools allow those attackers to review the code repositories of companies, recognize the common vulnerabilities that are included in vibe coding projects, and even automatically generate the code and tools that they require to exploit these security holes in the software.
How to Use AI Tools for Your Development Projects Without Compromising Security
There are a few ways that developers can take advantage of the benefits that AI tools have to offer while minimizing the risks to the security of the software that they create. For example, generated code from AI tools should be treated as untrusted. All code should be reviewed and critically evaluated before getting to the testing stages of a development project. Additionally, security scanning tools could be integrated into the development process to catch any potential vulnerabilities. It’s also important to use AI tools only in areas of the software that are understood by the developers, such as non-sensitive features of the software. Finally, developers should avoid blindly using AI tools and simply shipping the software without ever understanding the code that was generated.
Currently, the ease with which developers can produce software is increasing at an incredible rate. The same is true of the ease with which vulnerabilities are being introduced into that code. And, of course, the ease with which attackers can exploit those vulnerabilities is also increasing. In the future, the security of all software will have to be considered in the development process, especially if artificial intelligence is to be involved in that process.