Vibe Coding: A New Era of Software Development
In February 2025, Andrej Karpathy coined the term “vibe coding” to describe a new way of building software: rapid, AI-assisted development where users ‘fully give in to the vibes, embrace exponentials, and forget that the code even exists’.
Fast forward to 2026, and Anthropic CEO now predicts that 90% of code will be written by AI in 3-6 months. According to one survey, 84% of developers globally are using or planning to use AI coding tools in their workflow, up from 76% in 2024. Of those, 51% of professional developers use AI tools daily.
Security Challenges with Vibe Coding
The marketing manager, the operations lead, the finance team — all of them are building working applications, connecting them to production systems, and deploying them. Mostly without involving IT, and often never involving security.
Recent research from Veracode shows 45% of AI-generated code contains OWASP Top 10 vulnerabilities. AI models have improved dramatically at generating code that compiles and runs – but the security of that code is not always sound. The reason is straightforward: AI optimizes for functionality, not security.
Vulnerabilities in Vibe-Coded Applications
Researchers at RedAccess recently analyzed thousands of vibe-coded applications built on Lovable, Replit, Base44, and Netlify. They found more than 5,000 with virtually no security or authentication. Around 40% exposed sensitive data — medical information, financial records, corporate strategy documents, detailed customer conversation logs.
Among verified exposures: a shipping company app detailing vessel port arrivals; an internal health company application listing active UK clinical trials. Many of these applications are indexed by Google.
A New Shadow AI Problem
For two years, the security industry has discussed shadow AI as a behavior problem — employees pasting sensitive data into ChatGPT on personal accounts. That problem is bounded: the exposure lives in the inference layer, and there are tools that are focused on detecting it.
Vibe coding brings a different shadow AI problem. The employee is not sending data somewhere. They are building something — a live application connected to your CRM, your database, your ticketing system — and deploying it publicly.
Visibility Gap
Your security stack – with insights distributed across multiple data silos – was never designed to find it. Organizations running mature secure web gateways, CASB, or DNS logging can detect employee access to vibe-coding platforms. But detecting access is not the same as inventorying what was deployed, what data it holds, or whether it requires authentication.
What Should Security Leaders Do?
Similar to the initial reaction with shadow IT, the instinct is to prohibit vibe coding tools. That instinct is wrong. AI-driven development is not something organizations can or should block. But it must be governed.
The question is what governance actually means in practice when the tools move faster than any policy framework. Here are some best practices security leaders can act on now:
- Discover before you govern. You cannot govern what you cannot find.
- Run discovery scans across major vibe-coding platform domains.
- Review your cybersecurity stack.
- Add vibe-coding domains Lovable, Replit, Base44, Bolt, Netlify to your DLP policy as monitored destinations.
- Implement OAuth and API key governance to detect when production credentials are connected to unregistered applications.
- Extend application security to non-developer-built applications.
- Mandate human-in-the-loop reviews for critical functions built by non-developers.
- Treat prompts as source code requiring auditability.
- Establish ownership and lifecycle rules for every vibe coded application deployed within the organization — including named owners and data classification.
- Enforce infrastructure-level controls on AI agents, not just instructions.
The Clock Is Ticking. While authorities like the UK’s NCSC, the EU, and CISA urge the development of long-term safeguards for secure-by-design AI tooling, the immediate reality is far more pressing. There is likely a live application connected to your production database—accessible to anyone with a URL—that your security team hasn’t found yet. It’s time to start looking.
Source: SecurityWeek