81% of developers surveyed by CodeSignal are using AI in their workflows right now. That’s not a prediction; that’s today.
And here’s the kicker—your “citizen developers,” those business folks with zero coding chops, are jumping in too, spitting out apps via LLMs without a single security glance. Vibe coding, they call it. Sounds fun. Until the breach.
I’ve been kicking tires in Silicon Valley for 20 years, watching hype cycles come and go. Remember when everyone swore no-code would democratize software? Yeah, it birthed a million misconfigured SaaS nightmares. This AI coding wave? Same story, turbocharged. Companies like Tenable are waving templates and questionnaires, but let’s cut the PR spin: who’s really cashing in while your attack surface balloons?
What the Hell Is Vibe Coding, Anyway?
Vibe coding. Developers—or wannabes—tell an LLM, “Make me an app that does X,” and boom, code spits out. No review. Straight to prod. The original post nails it: “the ‘developer’ takes the AI code and puts it into production without any vetting or review.”
Charming. But risks? Oh boy. AI models trained on public repos—full of holes—regurgitate the same bugs. Misconfigurations. Over-permissive data access. Weak auth that a script kiddie cracks in minutes.
Tenable’s guide lists top uses: code completion in IDEs, auto-testing, code reviews. Fine. But they gloss over the citizen dev chaos. Business users on low-code platforms, deploying without IT’s blessing. It’s like handing flamethrowers to toddlers.
One paragraph on this? No way. Let’s unpack.
First, AI-powered code completion. GitHub Copilot, Cursor, whatever—real-time suggestions that autocomplete lines or whole functions. Handy for boilerplate. But trained on vulnerable code? It suggests the same insecure patterns. Ever seen SQL injection via AI nudge? I have. And IP leaks? If your proprietary snippet feeds back into the model (check the fine print), competitors get a free peek.
Second, automated testing. Anthropic’s Claude found 500 high-sev vulns in OSS—impressive. But as Tenable admits, AI tests miss subtle flaws. False security. Plus, it floods DevSecOps with unprioritized noise. You’re faster, sure. Safer? Dream on.
Third, code review and refactoring. LLMs summarize PRs, flag bugs, enforce style. Great for onboarding legacy code explanations. Yet, they hallucinate. Suggest fixes that break more than they mend. Human eyes still rule—or should.
The post cuts off there, but you get it: fourth would be docs, fifth maybe optimization. All speeding things up. None securing them.
“Citizen developers” — business users with little to no coding experience and even less security experience — are also using agents, LLMs, and low-code/no-code (LCNC) platforms to build and deploy software without any security checks.
That’s the money quote. Straight from Tenable. They’re not wrong.
Why Does Vibe Coding Reshape Your Attack Surface?
Look, efficiency’s the sell. 81% adoption isn’t optional; big tech mandates it. But reshaping the attack surface? Massively. Every unchecked AI blob is a new vector. Supply chain attacks via tainted models. Prompt injection turning your coder into an insider threat.
My unique take—and Tenable misses this—it’s 2010 all over again. Remember the Node.js boom? Everyone npm-installed the world, ignoring vulns. SolarWinds 2.0, but bottom-up. Citizen devs are your rogue nodes, pulling unvetted code from black-box LLMs. Bold prediction: by 2026, 40% of mid-sized breaches trace to AI-gen code from non-devs. Mark it.
Tenable pushes their One platform for exposure management. Smart. But it’s a band-aid if you skip policy.
25 Questions to Grill Your Devs (And Citizens)
Don’t just nod along. Ask hard.
The guide promises 25 security questions. Here’s a taste—stolen and sharpened:
-
What AI tools are you using for code gen? (Copilot? Claude? Custom?)
-
Do you review AI-suggested code line-by-line?
-
Ever pasted proprietary code into a public LLM?
-
For citizen devs: What’s your process for auth and permissions?
Full list in their template, but probe usage scope first. 81% says they’re doing it—know how.
Implementation? AI Acceptable Use Policy (AUP). Train on best practices. Deploy Tenable One to scan the mess.
But cynical me asks: Is Tenable just fearmongering to sell licenses? Maybe. Their blog reeks of it. Still, risks are real.
Is AI Coding a Net Win or Security Suicide?
Net win—if governed. Suicide otherwise. Vibe coding’s the wild west. Mandate reviews. Sandbox citizen tools. Prioritize human oversight for security-critical paths.
Historical parallel: early cloud. Hype ignored IAM horrors. Now it’s table stakes. AI coding? Same arc. Get ahead or bleed.
Short para for punch: Policies aren’t sexy. Breaches are expensive.
Deeper dive: DevOps teams love speed. Citizens want empowerment. Security? The buzzkill. Bridge it with phased rollouts—AI for non-prod first. Tools like Snyk or Veracode now scan AI code. Use ‘em.
Tenable’s template? Grab it. Customize ruthlessly. Include bans on public LLMs for sensitive work.
🧬 Related Insights
- Read more: Google Cloud Authenticator: The Cloud Brain Powering Your Passwordless Future — And Its Sneaky Vulnerabilities
- Read more: FrostArmada’s Fall: How Cops Crushed Russia’s Router Spy Network Targeting Microsoft Logins
Frequently Asked Questions
What is vibe coding in AI development?
Vibe coding is casually prompting an LLM to generate full apps or code, then deploying without review—often by non-experts.
How do you secure AI-generated code?
Review manually, scan with tools like Tenable One, enforce AUPs, and train users on risks like vuln replication.
Will AI replace developers?
Nah, it speeds them up—but amplifies screw-ups without guardrails.
