Vibe coding sounds cool, doesn’t it? It’s all about writing code based on instinct and creativity rather than rigid rules or best practices. But here’s the catch: skipping structure and security checks can lead to serious problems down the road. So, what exactly is vibe coding, and why should you care about the risks that come with it?
Let’s start with what Vibe Coding is.
Vibe coding is an AI-powered approach to programming where developers describe what they want in plain language, and a large language model (LLM) generates the code for them. Instead of writing every line by hand, the programmer takes on more of a guiding role—reviewing, testing, and refining the AI’s output. The term has gained popularity as a laid-back, experimental way to build software, especially for quick prototypes or personal projects.
The tweet that started it all defined vibe coding as:
“You fully give in to the vibes, embrace exponentials, and forget that the code even exists.” – Andrej Karpathy. (co-founded and formerly worked at OpenAI)
Pros of Vibe Coding
Speed and Flexibility: Vibe coding allows developers to quickly prototype and iterate on ideas. This can be particularly useful for small projects or when experimenting with new concepts.
Creativity: By not being bound by rigid structures, developers can explore creative solutions and innovative approaches to problems.
Enjoyment: The informal nature of vibe coding can make the development process more enjoyable and less stressful, just like going with the vibe (hence the name!).
Security Concerns
While vibe coding has its advantages, it also comes with significant security risks.
Studies show 40–45% of AI-generated code contains security flaws.
Lack of Structure: The informal approach can lead to poorly organised code, making it difficult to maintain and secure.
Inadequate Testing: Vibe coding often skips thorough testing phases, increasing the likelihood of bugs and vulnerabilities.
Weak Documentation: Without proper documentation, understanding and securing the code becomes challenging, especially for other developers who might work on the project later.
Specific Security Issues
AI generates insecure patterns: Many AI-generated snippets are lifted from public repositories, often without security validation. If vulnerabilities exist in the original source, they can be blindly copied into production without developers realising it. This could lead to issues like SQL injection, XSS, insecure authentication, and unsafe deserialisation (e.g., Python Pickle allowing remote code execution).
Blind trust in AI suggestions: If you don’t deeply understand the logic, you’re less likely to question it. In traditional coding, writing each line forces a level of understanding and scrutiny. With vibe coding, developers are often reviewing something they didn’t write, making it harder to spot subtle security flaws or logic errors. The result? More security gaps, unvalidated assumptions, and an overall increase in risk.
Fewer security reviews: Shorter development cycles also mean less time for manual reviews. In the rush to ship features, security audits get deprioritised, and threat modelling takes a backseat. AI-generated code can be unpredictable and inconsistent, leading to unexpected attack surfaces. Prioritising speed over structure means future updates or debugging can be costly and error-prone.
Suitable Projects for Vibe Coding
Vibe coding can be a great approach for small projects, such as:
Personal Apps:
Simple applications for personal use where security is not a major concern.
Rapid Prototyping for MVPs:
Perfect for hackathons, investor demos, and internal proofs of concept, vibe coding allows quick iterations without heavy upfront architecture.
Educational Value:
Beginners can learn coding concepts in a less intimidating environment, making vibe coding a great tool for training and experimentation.
Cost-Effectiveness:
By cutting down repetitive tasks and boilerplate, vibe coding saves time and resources during initial development phases.
Future-Proof Approach:
Vibe coding aligns with modern AI-assisted development trends, integrating seamlessly with tools like GitHub Copilot and Replit.
Reduced Burnout:
The relaxed, flow-oriented approach combined with AI assistance makes coding less stressful, helping developers maintain energy and creativity over longer periods.
When to Avoid Vibe Coding
For larger, more complex projects, vibe coding is generally not recommended due to the increased risk of security vulnerabilities and maintenance challenges. Projects that require high reliability, scalability, and security should adhere to more formal development methodologies.
Vibe coding offers a fun and flexible way to approach programming, but it’s important to recognise its limitations, especially regarding security. By combining the creative freedom of vibe coding with good development practices, you can enjoy the best of both worlds – quick, enjoyable coding sessions and secure, reliable applications.
Treat AI assistants like smart apprentices, they can be incredibly helpful, but their work still needs to be reviewed. Don’t treat them like flawless experts whose code or answers you can trust without checking.
What to keep in mind when Vibe Coding
Despite the appeal of vibe coding, it’s crucial to maintain good development practices to ensure the security and reliability of your projects:
Planning: Even if you’re coding intuitively, having a basic plan can help guide your development and prevent major issues.
Testing: Regular testing is essential to identify and fix bugs and vulnerabilities.
Documentation: Proper documentation ensures that your code is understandable and maintainable by others.
Code Reviews: Peer reviews can help catch mistakes and improve the overall quality of the code, especially if you’re new to coding. Get an experienced coder!
How to Balance Creativity and Security
Sandbox the Creative Zone
- Use isolated environments (e.g., Docker, virtualenvs) to experiment freely without risking your system or production data.
- Keep creative code in a separate branch or repo until it’s reviewed.
Use Guardrails, Not Walls
- Add lightweight linters and static analysis tools (like ESLint, Bandit, or Semgrep) that run in the background.
- Use pre-commit hooks to catch obvious issues without interrupting flow.
Automate Security Hygiene
- Auto-scan dependencies with tools like Dependabot, Snyk, or npm audit.
- Use templated secure patterns (e.g., for auth, DB access) so you don’t reinvent the wheel insecurely.
Log the Vibes
- Even in creative mode, log what your code is doing. It helps with debugging and spotting suspicious behaviour later.
Review Before You Ship
- After the creative burst, pause and review:
- Are inputs validated?
- Are secrets exposed?
- Are permissions too open?
- Is error handling robust?
Vibe coding is changing the way we think about software development, it feels more natural, more creative, and more fun. It gives developers the freedom to experiment, move fast, and break away from the rigid structure of traditional workflows. But with great freedom comes great responsibility.
As AI becomes more of a go-to tool in coding, it’s all about finding that sweet spot between being creative and staying smart. Vibe coding isn’t about tossing out good engineering, it’s about adding a spark to it. Used the right way, it can help you move faster and build cooler stuff without cutting corners on security or quality.
So go ahead, embrace the vibes, prototype boldly, and let your creativity flow. Just don’t forget to pause, review, and secure your code before it goes live. The future of coding might be more about collaboration with AI than control over syntax, and vibe coding is just the beginning.
InfoSec People is a boutique cyber security and IT recruitment consultancy, built by genuine experts. We were founded with one goal in mind: to inspire people to find the careers that inspire them. With the success of companies fundamentally driven by the quality of their people, acquiring and retaining talent has never been more important. We believe that recruitment, executed effectively, elevates and enables your business to prosper.
We also understand that cyber and information security recruitment can genuinely change people’s lives, that’s why we take the duty of care to those we represent very seriously. All our actions are underpinned by our core values:
- Always do the right thing
- Be the best we can be
- Add value
We work with businesses in the cyber/tech arena, from start-ups and scale-ups to FTSE100 and central Government, many of whom are always looking for great people.
Call us directly on 01242 507100 to discuss opportunities or email info@infosecpeople.co.uk.