What Is Vibe Coding? And Why It's a Security Nightmare

The Rise of Vibe Coding

Vibe coding is the practice of describing what you want in natural language and letting AI write the code. Tools like Cursor, GitHub Copilot, and Claude Code have made it possible for anyone to build software.

The problem? AI-generated code inherits every bad security practice from its training data.

The Security Risks

1. Outdated Dependencies

AI models suggest packages with known vulnerabilities because that's what was popular when they learned.

2. SQL Injection by Default

AI often generates string concatenation for database queries instead of parameterised queries.

3. Hardcoded Secrets

AI generates example code with API keys and tokens inline. Developers copy-paste without thinking.

4. Missing Input Validation

AI writes the happy path. It rarely adds input validation or rate limiting.

5. Insecure Defaults

CORS set to wildcard, no CSRF protection, eval() for parsing — AI defaults to the simplest, least secure solution.

What You Can Do

1. Scan everything — run security scans before deploying
2. Review, don't trust — treat AI code like code from an untrusted contributor
3. Use tools like VibeTrace — automated scanning catches what human review misses
4. Keep dependencies updated — don't accept the version AI suggests without checking
5. Security-first prompts — tell AI to prioritise security

Vibe coding is here to stay. But "it works" is not the same as "it's secure."