Are Vibe Coding Companies Sleepwalking Into Cyberthreats?

The rise of AI-assisted software development is creating a new wave of security challenges that could dwarf the problems posed by open source dependencies, according to cybersecurity researchers.

So-called "vibe coding" – where developers use LLMs to generate functional code snippets – has rapidly become a standard practice across the industry.

Earlier this year, Meta's Mark Zuckerberg projected that by 2026 most code will be written by AI. His prediction is already being borne out in emerging statistics.

A recent Checkmarx survey found that one-third of Chief Information Security Officers say that more than 60% of their organisation's code was AI-generated in 2024.

But while using AI to complete a notoriously difficult and arcane task solves a great deal of money and time, the whole practice has some quite alarming drawbacks that many companies are not fully considering.

That too is revealed in Checkmarx's study, with just 18% of respondents indicating that their companies maintain a list of approved tools coding.

The training data problem

The fundamental issue lies in how these models learn to write code in the first place.

"If AI is being trained in part on old, vulnerable, or low-quality software that's available out there, then all the vulnerabilities that have existed can reoccur and be introduced again, not to mention new issues," says Alex Zenla, CTO of cloud security firm Edera.

This represents a critical difference from traditional open source usage, where developers can at least inspect and audit the code they're incorporating.

"AI code is not very transparent," says Dan Fernandez, Head of AI Products at Edera.

"In repositories like GitHub you can at least see things like pull requests and commit messages to understand who did what to the code, and there's a way to trace back who contributed," he adds.

"But with AI code, there isn't that same accountability of what went into it and whether it's been audited by a human."

The consistency problem

Beyond security vulnerabilities, vibe coding introduces an unusual consistency challenge that doesn't exist with traditional development methods.

"If you ask the exact same LLM model to write for your specific source code, every single time it will have a slightly different output," says Eran Kinsbruner, VP of Product Marketing at Checkmarx.

"One developer within the team will generate one output and the other developer is going to get a different output. So that introduces an additional complication beyond open source."

This variability makes it nearly impossible to maintain standardised coding practices across development teams, even when they're ostensibly using the same AI tools to solve identical problems.

The end of the grace period

The window for addressing these issues before they become catastrophic may be closing rapidly.

"We're hitting the point right now where AI is about to lose its grace period on security," Alex warns.

"And AI is its own worst enemy in terms of generating code that's insecure."

The risks extend beyond enterprise environments to affect those who can least afford security breaches.

"There's a whole lot of talk about using AI to help vulnerable populations, because it uses less effort to get to something usable," Alex says.

"And I think these tools can help people in need, but I also think that the security implications of vibe coding will disproportionately impact people who can least afford it."

Learning from the lessons of the past

The solution, according to security experts, involves applying lessons already learned from decades of open source development.

"The fact is that AI-generated material is already starting to exist in code bases," says Jake Williams, a former NSA hacker and current VP of R&D at Hunter Strategy.

"We can learn from advances in open source software-supply-chain security – or we just won't, and it will suck."

The challenge now is whether the industry will implement robust governance frameworks before vibe coding's proliferation creates the next generation of critical vulnerabilities.