Deceptive simplicity: A vibe coder's nightmare

With the rise of AI assisted development and “vibe coding”, in today’s software development landscape, it is possible for a non technical person to create a powerful application from scratch in a short period of time.

But there remains a huge gap between producing code that is functional and code that is secure.

Let’s face the reality, many web applications are created by well-intentioned individuals who simply lack the knowledge and experience to identify where security flaws may arise.

For example, hard coding Stripe API keys to make it “easier for the application to find them”.

At the core, the vibe coder is very well meaning - solving a business problem that other people are facing.

But the well meaning intentions are washed away when, for example, the users’ contact information and addresses get leaked for everyone on the internet to use as they please.

Furthermore, prominent trend in recent years has been the use of application frameworks that provide ready-made code components to handle numerous common areas of functionality, such as authentication, page templates, message boards, and integration with common back-end infrastructure components. Examples of these frameworks include Nextjs, Hono.

These products make it quick and easy to create working applications without requiring a technical understanding of how the applications work or the potential risks they may contain.

The problem is excarbated by the amounts that the companies throw at marketing to the non technical individuals who lack the basic understanding of how software is architected.

When you add on the fact that the new “coders” are relying on the same code that has been spat out by the LLM, you quickly realize that we are not going to have secure software any time soon since the same software vulnerabilities are shipped to many different applications that exist in the wild.

Maybe, there is HOPE.

Maybe, there isn’t since software is always evolving.