Vibecoding is super interesting. And powerful.
Coding syntax is getting better. But secure coding isn't keeping pace.
In a test of 100 coding models, 45% of them introduced a serious vulnerability.
For example, in 86% of tests, code wasn't secured against Cross-Site Scripting.
NOW-TERM IMPLICATIONS
This has big implications. Sure, there are the YOLOcoders that ship whole vibecoded apps without thinking about security. Or code review.
Some percentage of their users will get rekt.
If those projects get near high risk users, they are sprinkling knives in the weeds with potential for harm.
BUT BIGGER MODELS = BETTER?
Interestingly, even big fat models aren't massively better with security.
S'EVERYWHERE
My other worry? Vibecoding without security check steps is happening in existing projects / platforms etc.
Even when people say they are coding. Sometimes they be vibecoding.
This sort of thing has already come to tools you use, including to handle your funds & privacy.
Sure secure code writing & review has never been anything near universal, but the scale and speed of new code creation that #vibecoding enables is new.
VULNERABILITY DISCOVERY...ALSO ACCELERATING
ICYMI, vulnerability DISCOVERY is also accelerating a lot faster than secure code creation...
Whole industries are spinning up, including lots of offensive projects.
ME? I #VIBECODE
I love the change in how I create with code. But I think we are in for some really rough times, and the least informed parties are gonna be users. As ever.
In the longer run this problem space also seems to offer paths for AI-driven improvement in secure code creation. But since not everything is accelerating at the same pace, the deltas = harm.
Sauce: 
In a test of 100 coding models, 45% of them introduced a serious vulnerability.
For example, in 86% of tests, code wasn't secured against Cross-Site Scripting.
NOW-TERM IMPLICATIONS
This has big implications. Sure, there are the YOLOcoders that ship whole vibecoded apps without thinking about security. Or code review.
Some percentage of their users will get rekt.
If those projects get near high risk users, they are sprinkling knives in the weeds with potential for harm.
BUT BIGGER MODELS = BETTER?
Interestingly, even big fat models aren't massively better with security.
S'EVERYWHERE
My other worry? Vibecoding without security check steps is happening in existing projects / platforms etc.
Even when people say they are coding. Sometimes they be vibecoding.
This sort of thing has already come to tools you use, including to handle your funds & privacy.
Sure secure code writing & review has never been anything near universal, but the scale and speed of new code creation that #vibecoding enables is new.
VULNERABILITY DISCOVERY...ALSO ACCELERATING
ICYMI, vulnerability DISCOVERY is also accelerating a lot faster than secure code creation...
Whole industries are spinning up, including lots of offensive projects.
ME? I #VIBECODE
I love the change in how I create with code. But I think we are in for some really rough times, and the least informed parties are gonna be users. As ever.
In the longer run this problem space also seems to offer paths for AI-driven improvement in secure code creation. But since not everything is accelerating at the same pace, the deltas = harm.
Sauce: Veracode
We Asked 100+ AI Models to Write Code. Here’s How Many Failed Security Tests. | Veracode
Application Security for the AI Era | Veracode
Like the proprietary attestation baked into a must-use form of identification is absolutely the wrong path...
And while we're at it, recall the rule of thumb: Age Verification either by deliberate or convenient naïveté is almost always a surveillance trojan horse.
Source:
Source: 
In other news, the UK Online Safety Act is forcing websites to begin collecting IDs.
This will end, predictably in fresh breaches.
And more harm to users.