Dall-E for coders? This is the promise behind the Vibe coding, term Describing the use of natural language to create software. While it leads to the new AI-Generated Era, it presents “silent killers” of vulnerability: exploited deficiencies that evade traditional safety instruments despite perfect performance.
Available Detailed Analysis of Safe Practice Coding Mood there.
TL; DR: Reliable mood coding
Vibration coding, using natural language to create software with AI, revolutionizes development in 2025. But while it accelerates the prototype and democratizes coding, it also introduces “silent killers” of vulnerability: the operational deficiencies that pass the tests but eliminate from traditional security tools.
This article is studied:
- Examples of the real world in the production obtained by AI, in production
- Shocal statistics: 40% higher secret
- Why llm omit safety if definitely not offered
- Reliable Tips and Comparcies tools (GPT-4, CLUude, Cersor, etc.)
- Regulatory pressure from the law on the II EU
- Practical workflow for safe development, using AI,
Essence: AI can write the code, but it will not secure it unless you ask, and even then you still need to check. Safety speed is just a quick failure.
Introduction
Vibe coding exploded in 2025. Andrei Carpathians invented, this is the idea that everyone can describe what they want and get a functional code from large language models. In The words of the CarpathiansVibe coding is “a vibration, accept exhibitors and forget that the code even exists.”
From prompt to prototype: New Development Model
This model is no longer theoretical. The Pieter level (@levelsio) is known to have launched multiplayer flight SIM, Fly.Pieter.comusing AI tools as Cursor, Claude and Grok 3. It created the first prototype in 3 hours using only one line:
“Make a 3D flying game in the browser.”
After 10 days he did 38 000 dollars from the game And earned about $ 5,000 a month from advertising when the project is scaleing up to 89,000 players by March 2025.
But it’s not just games. Vibe coding is used to create MVP, internal tools, chats and even early versions of full applications. According to Last analysisalmost 25% Y startup Combinator Now they use AI to create major code bases.
Before you discard this like Hatgpt Hype, let’s look at the scale: we don’t talk about toy projects or prototypes over the weekend. These are funded startups of construction systems that process real user data, process payments and integrate with critical infrastructure.
Promise? Faster iteration. More experiments. Less delay.
But there is a hidden cost of this speed. The AI-Generated Code creates what security researchers call “silent murderers”, a code that functions perfectly in testing, but contains exploited deficiencies that bypass traditional safety tools and survive CI/CD pipelines to achieve production.
Problem: Safety does not work automatically
The catch is simple: AI generates what you ask, not what you forget to ask. In many cases, this means that critical safety features remain over attention.
The problem is not just a naive hint, it’s systemic:
- Llm trained completeno plead. If security is clearly not in the line, it is usually ignored.
- Tools such as GPT-4 can offer outdated libraries or verbatamous patterns that mask subtle vulnerabilities.
- Sensitive data are often tough because the model “saw it” in the example of training.
- Tips, such as “build an entrance”, often give dangerous samples: storing a simple text password, without the Foreign Ministry and disturbed author’s streams.
According to this new Reliable mood coding Guide, it leads to what they call “Security in Inaction”Functioning software that comes quietly with exploiting deficiencies. In one cited case, the developer used AI to get stock prices with API and accidentally made his hard key to GitHub. One line led to the vulnerability of the real world.
Here’s another true example: The developer suggested AI “create a password reset function that sends a reset.” Ai with the creation of a working code, which successfully sent emails and confirmed tokens. But it used comparison of lines that are not a permanent time to check the tokens, creating a side channels on the basis when the attackers could remake the tokens to reset, measure the response time. The function passed all the functional tests, worked well for legitimate users, and it would be impossible to detect without specific safety testing.
Technical reality: AI requires fence
A conduct It represents a deep dive into how different tools process the safe code and how to tell them properly. For example:
- Bell Typically, more conservative, often indicating a risky code with comments.
- Cursor you have It is issued in real -time solution and may allocate vulnerabilities during reconstructors.
- GPT-4 Need certain restrictions, for example:
- “Create (feature) with Owasp Top 10 Aferesions. Include speed limit, CSRF protection and login check.”
This even includes safe tips for example:
# Insecure
"Build a file upload server"
# Secure
"Build a file upload server that only accepts JPEG/PNG, limits files to 5MB, sanitizes filenames, and stores them outside the web root."
Lesson: If you don’t say it, the model will not. And even if you say it, you still need to check.
The regulatory pressure is attached. The EU AI law now classifies some vibration coding as a “high -risk system” that requires compliance assessment, especially in critical infrastructure, health and financial services. Organizations must document the II participation in the code generation and support the audit routes.
Reliable mood coding in practice
For those deployed in production, coding vibe, Guide suggests Clear work process:
- Hint with security context – Write clues as you threaten with modeling.
- A multi -stage tip – First generate, then ask the model to revise your own code.
- Automated testing – Integration of tools such as Snyk, Sonarqube or GitGuardian.
- Human review -I.
# Insecure AI output:
if token == expected_token:
# Secure version:
if hmac.compare_digest(token, expected_token):
Safety Paradox
Vibration coding democratizes software development, but democratization without a fence creates a systemic risk. The same natural language interface that enables non -technical users to create applications, also removes them from understanding the consequences of the safety of their requests.
Organizations turn to this through multi-tiered access models: controlled environments for domain expert experts, managed development developers and full access for safety engineers.
Coding mood ≠ Code replacement
The smartest organizations treat the II as an increase in the layer, not the replacement. They use mood coding:
- Accelerate the sad tasks on the boilers
- Learn the new frame with controlled forests
- Prototype Experimental Functions for Early Testing
But they still count on experienced architecture, integration and final lacquer engineers.
This is a new reality software development: English is becoming a programming language, but only if you still understand the main systems. Organizations that have succeeded in coding Vibe do not replace the traditional development, they increase its security practice, properly supervision and recognition that the speed without security is just a quick failure. The choice is not whether to accept A-AI, with AI, to do it securely.
For those seeking to delve into the safe practice of mood coding, A complete guide provides extensive recommendations.
Analysis focused on the security systems of AI coding systems
| The AI system | Key strong sides | Safety features | Restrictions | Optimal use cases | Talk about safety |
| Openai Codex / GPT-4 | Universal, strong understanding | Identification of vulnerability code (Copilot) | Can offer outdated libraries | Full stack web developer, sophisticated algorithms | The words code can close security problems; Small security at the system level |
| Bell | Strong explanations, natural language | Like the risk | Less specialized for coding | DOC-Weight, Critical Applications for Security | Issued when explaining the effects of safety |
| Kader Deepseek | Specialized for coding, knowledge rap | Repository-built-in embed | Limited general knowledge | Critical, critical programming at the system level | Strong static analysis; Limits the detection of security deficiency |
| GitHub Copilot | Integration IDE, the context of the turnip | Safety Scan in Real Time, Detection Owasp | Excessive dependence on context | Fast prototype, workflow developer | Better detection of famous uncertain patterns |
| Amazon Codewhisperer | AWS integration, compatibility with politics | Safety scan, detection of compliance | AWS oriented | Cloud infrastructure compatible Envs | Strong in generating compatible code |
| Cursor you have | Editing natural language, refactoring | Built -in security security | Less suitable for new, large code bases | Iterative clarification, security audit | Determines vulnerability in the existing code |
| Base44 | Without a codes-builder, spoken | Built -in author’s, safe infrastructure | No Direct Access to Code Limited Platform | Fast MVP, non -technical users, business automation | The security that is managed by the platform creates the vendor addiction |
A A full guide Includes safe templates for 15 applications models, security configurations, and the scope of the enterprise implementation required for any AI development team.
