AI-assisted software development has taken off. By now, most people are familiar with the term ‘vibe coding’; giving an AI agent a high-level prompt and letting it build your application with significant autonomy. You prompt, it codes, you review the output, rinse and repeat.
The NCSC have previously written about the effects this could have on cyber security. And if you care about security, vibe coding can feel uncomfortable. AI models are trained on vast amounts of existing code, and some of that has security issues. When you let an AI loose on your code base with minimal oversight, there’s a real risk it produces code with security vulnerabilities, with a measurable security gap in AI generated code (pdf).
The other issue is that your code base could become complicated and confusing to understand, leading to further issues down the road with maintainability.
Does this all mean that you shouldn’t use vibe coding? Not necessarily. It depends on what you’re building.
