Vibe Coding

What is vibe coding?

Quoting Wikipedia [2]:

Vibe coding describes a chatbot-based approach to creating software where the developer describes a project or task to a large language model (LLM), which generates codebased on the prompt. The developer does not review or edit the code but solely uses tools and execution results to evaluate it and asks the LLM for improvements. Unlike traditional AI-assisted coding or pair programming, the human developer avoids examination of the code, accepts AI-suggested completions without human review, and focuses more on iterative experimentation than code correctness or structure.

To put it in other words, we’re talking about software development where no human has ever seen, let alone understood, the underlying code. Can this be beneficial for companies? Obviously, yes. But it can also be damaging.

Why?

Before we dive into potential benefits and risks, let's first understand why anyone would want to create and use custom apps.

From a large business' perspective, the benefits are obvious. They can have a tool that fixes a problem they’ve been having, and this tool can be deployed in days rather than months. And the best thing is that no high-salary IT guy is needed. Anyone in the company can build an app for the entire business to use. The app is ready in no time, can be modified almost on the spot, and the implementation cost was 0 EUR.

Awesome, right?

Something similar is already happening; just think of VBA or Power Automate. Users can build their own flows and have certain tasks automated. This is neat, but it requires some knowledge of the tool you’re using. Not everyone understands how complex Power Automate can be. How tricky sometimes it is to actually get it to do what we want it to do. VBA has an even steeper entry point. It requires some coding skills, unfortunately.

With vibe coding, however, no skills are required. Just ask the LLM what you want, and it will build it for you. You want it differently; just ask it again. AI coding can accelerate your workflow whether you are a developer or an average user. It seems like a blessing for staff under constant pressure to deliver more for less.

Potential use cases

Potential use cases are almost endless. Just think of any repetitive task you do each day. You can build an app for that.

Some simple ideas, probably also possible with Power Automate or just some Python ;)

• Pull the daily stock report, put it in the company template, and send it to your boss.

• Registration app for a company venue, including a donation for charity button.

• Autogenerated company emails. You would type a message, and the app would put it on company stationery and send it through. This might include a tracking dashboard to see how many people have opened your mail.

The ideas are endless.

What is AI?

Do you actually know what AI is? Artificial intelligence, you say? Kind of. This is what AI stands for, but the tools that are currently being marketed as AI tools have nothing to do with intelligence. Those are so called „Large Language Models” or LLMs for short. Those are fancy statistical models that predict what words should be shown based on query. They calculate the first word and then go back to the model to figure out the second, the third, and so on. They have been programmed to simulate personality. Type something mean into the ChatGPT prompt, and it will start apologizing.

A machine is not sentient, nor is it intelligent!

All those LLMs have ingested the entire internet’s knowledge. Every possible source of human crafted content is in their database. Responses you see are based on what the LLM had seen before on a forum somewhere. This is not an intelligent machine responding; it is replicating human behavior, a simulation.

What are the risks?

While using LLMs that are not authorized in your company, you might actually be leaking data. Did you know that whatever information you upload to those AI tools will be used to train the model for everyone else? So it may respond to someone else's query with your top secret documents. This is true not only for coding but for all queries.

The code that comes out of the LLM is someone else’s code, only slightly rewritten to fit your purpose. The LLM doesn’t understand this. So what will happen if the original author of the code figures out you're using their work? They could sue the company.

Is your app secure? Are you sure? How can you identify and trace all the libraries the LLM used to generate your app? How can you be certain there are no security issues with them? Because you never wrote a single line of code, you have no idea whether the app is secure or not. And even worse, you have no clue how to test it. One of the simplest issues is login prompt and SQL injection. What would happen if I typed my username as TEST’ OR ´x´=´x and the same for the password? If the code was written using just basic SQL syntax, I might have just successfully logged in without knowing the login.

If the app is using an external API, is it secure? How do you know what information is being transferred through that API? You might be sending data to an adversary, and the LLM wouldn’t tell you because it doesn’t understand the secure context. This is called a „supply chain attack”.

If your app ever grows and becomes critical for the company, the management might decide to hire a real developer to maintain it and develop it further. This person would need a lot of time to understand, potentially chaotic and undocumented code written by the LLM. This is slowing down the development and can lead to security issues never being discovered. I call it a „debugging nightmare”.

Mitigation

The whole vibe coding topic is a big issue for internal IT. This falls under „shadow IT”, where users find a clever way of doing things they’re not supposed to be doing.

If you choose to allow users to create their own apps, and you accept the risks, fine. However, I still recommend that you enforce code verification by internal IT. Do some pen testing, even simple ones like the SQL injection I explained above. Restrict the access the app has. Run it in a secured network or restricted VM. Make sure you really understand what the app is doing and what it is sending and where to. Educate your users that they might inadvertently be leaking data.

In my opinion, using LLMs to write code only makes sense if YOU write the code and ask AI for help with certain topics. But even then you should not just blindly copy-paste the code. Take your time to read it, understand it, confirm it doesn't do anything weird or unexpected. I do this all the time if I am stuck. LLMs have been very helpful in developing multiple small tools only I use, but also company-wide applications. But I always took the time to read the proposed code, check the dependencies, libraries.

Final words

I am not against vibe coding if your business has the capacity to put safeguards on it. This process can certainly improve many workflows in your business. However, you have to educate your users about the dangers of using LLMs to code. If you are a programmer yourself, I suggest you use AI tools as a support rather than a replacement. Remember, always code with „secure by design” principles in mind.

References

[1] Globant and MIT Technology Review, Transforming software development with generative AI

https://more.globant.com/transforming-software-development-with-gen-ai

[2] https://en.wikipedia.org/wiki/Vibe_coding

[3] https://www.contrastsecurity.com/glossary/vibe-coding

[4] https://blog.duda.co/vibe-coding-websites-security-risks-for-marketing-agencies#

[5] https://www.youtube.com/watch?v=VHHT6W-N0ak