The way we write software is changing much faster than developers could have anticipated. At the heart of this is “vibe coding” – a technique where programmers use generative AI to produce code faster than a person ever could.
Demonstrating the scale of this change, Gartner reported that AI-assisted code development is on track to account for 40% of all new business software within three years – and that’s a modest estimate.
Co-founder and CTO of Chainguard.
At its best, vibe coding creates new opportunities for developers by helping them complete time-consuming tasks, like writing boilerplate code, much quicker. That extra time gives teams the ability to focus on building, innovating, and delivering product-specific value.
However, as vibe coding takes off, it has also given rise to threats that developers, security teams, and engineering leaders need to get ahead of. As more people interact with code via natural language prompts, developers may increasingly be distanced from directly authoring source code.
This creates opportunities for harmful code to be inserted into software stacks.
Speed meets scrutiny
Vibe coding allows developers to not just produce more code, but to also raise the bar on code quality through faster refactoring and experimentation.
Done right, vibe coding isn’t just about faster output, it’s about strengthening the code review muscle. Which in some ways, can prepare more junior developers for senior leadership roles where code review is a core responsibility.
At the same time, vibe coding expands the surface area of the codebase in subtle yet significant ways, subjecting it to more risk of error, abuse, and even malicious injection.
Even if the individual quality of AI-generated code were to improve (which isn't always guaranteed), the sheer volume of code being generated could result in a greater overall rate of defects.
Rigorous review, testing, and healthy skepticism are important for any code, whether written by humans or AI, so that bugs or insecure patterns do not slip through the cracks.
AI is a lot like a tireless, no-ego junior engineer. It has great potential but needs continual supervision and guardrails. When an intern breaks production, we don’t just blame the intern; we recognize it as a failure of the team’s processes and oversight.
The same is true with AI. If you let an AI agent push harmful code into production, it’s not just the AI that failed; it’s a breakdown in review, testing, and governance. The results of vibe coding can be transformative with proper guardrails and procedures.
Without them, you risk introducing vulnerabilities by omission and are gambling with your security posture.
Accountability beyond authorizing: Provenance first
The rise of vibe coding is similar to the early days of open source software. Developers could build faster by reusing code someone else wrote and published rather than writing it from scratch themselves.
But as open source became foundational to modern software, organizations learnt a crucial lesson: you are still responsible for what runs in your environments, even if you did not create every component. The same applies now to vibe coding.
AI doesn’t eliminate the need for craftsmanship, it changes the context in which it is used. Using AI well takes a lot of human work, and developers must change the way they think about quality, review, and ownership.
An easy mistake is to accept auto-generated ideas without first reviewing them. This not only produces AI slop, but could also make your build environments more susceptible to vulnerabilities.
AI replacing zero-days with speed
Threat actors are now taking advantage of the same generative AI capabilities that give developers an edge. Historically, hackers used “zero day” vulnerabilities (flaws that defenders were unaware of) to launch sophisticated attacks on tech stacks.
In fact, the term “zero day” comes from the fact that defenders have had zero days to patch vulnerabilities before needing to defend against them. This used to mean that an attacker had to be aware of a vulnerability before the software vendor did.
Today, the scenario has changed. Vibe hacking gives cybercriminals access to the same generative AI tools as developers; they’re no longer waiting to locate or buy expensive zero days to initiate an assault.
This is because it usually takes weeks or months for upstream distributions to patch vulnerabilities, and even longer for users to implement those patches.
Data from Google’s Threat Intelligence Group (GTIG) shows that the pace that attackers are exploiting known vulnerabilities is dropping dramatically. Attackers now can exploit known vulnerabilities before most organizations have a chance to fix them.
In a vibe-hacked world, security must be ongoing, proactive, and fully integrated into the software development lifecycle. As engineering leaders, we need to create spaces where AI is used safely and transparently, and where developers are empowered, not sidelined, by these tools.
A safe approach to vibe coding
Putting the word “AI” in front of productivity tooling doesn’t change the accountability of the individual that is using it. Similarly, putting the word “AI” in front of automation doesn’t change the accountability of the company that is deploying it.
As AI accelerates the way we build, the role of the developer evolves from creator to steward. Our responsibility isn’t to outpace AI but to ensure what it produces stands up to scrutiny.
The safest path forward combines automation with accountability, and innovation with intention. When developers take ownership of every AI-assisted line of code, we move closer to a world where speed and security reinforce each other.
We've featured the best online cybersecurity course.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.