COMMENTARY: The software world has experienced an explosion of AI-assisted coding. Developers can now generate entire applications by describing what they want in plain English.
This trend – nicknamed
"vibe coding" – shifts programming from writing code to
guide AI to embracing a "move fast and prompt often" approach.
Y Combinator reports that 25% of startups in its Winter 2025 batch had codebases 95% generated by AI. The appeal makes sense: why spend weeks coding when an AI agent can build a working app overnight?
[
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
But this rapid development comes with serious downsides.
Vibe coding often means using AI-generated code with minimal human oversight. Code gets accepted on faith rather than through rigorous review. Developers may deploy
AI-written code without fully understanding it, leading to undetected bugs and security vulnerabilities.
The dependency problem in open source
Modern applications heavily rely on open source libraries. A single prompt to "build me a web app" can lead an AI to pull in dozens of dependencies. Each dependency carries its own potential vulnerabilities – and when code gets assembled at breakneck speed, security checks often fall by the wayside.
Open source components are widely reused, so a flaw in one library can cascade into thousands of applications. Vibe coding amplifies this risk. An AI agent might include an outdated package with known vulnerabilities because it "works," unaware of the security implications. If an AI helper imported this library, the project would inherit that backdoor automatically.
The gap between code volume and security capacity
The acceleration of development through AI has created a widening gap between code production and security review capacity. Organizations already struggle with vulnerability backlogs. Now imagine adding an avalanche of new AI-written code every day. Over
40,000 CVEs were disclosed in 2024 – a 38% jump from the previous year. Each vulnerability represents a to-do item for defenders, with thousands more added monthly.
Startups embracing vibe coding may ship features faster than ever while accumulating security debt at an unsustainable rate. Every
quick app created by AI might require dozens of patches later when properly tested. This dynamic creates massive backlogs and burnout for security teams. Unfortunately, attackers are fully aware of this imbalance and racing to exploit it.
Attackers use AI to accelerate exploits
If AI coding agents are a double-edged sword, the sharper edge now belongs to attackers. The same AI capabilities that help developers create code also let malicious actors find vulnerabilities and write exploits at unprecedented speed.
A landmark study by researchers at the University of Illinois Urbana-Champaign found that GPT-4 could autonomously exploit 87% of "one-day" vulnerabilities—those publicly disclosed but not yet patched—when provided with CVE descriptions. In contrast, previous-generation models like GPT-3.5 and open-source vulnerability scanners such as ZAP and Metasploit failed entirely, achieving a 0% success rate.
This research has already played out in practice. In April 2025,
a security researcher used GPT-4 and Claude Sonnet 3.7 to develop a working proof-of-concept exploit for a critical bug in Erlang's SSH library (CVE-2025-32433) in just a few hours.
The process, which previously required days or weeks of specialized manual effort, was reduced to a single afternoon. When the initial attempt failed, the researcher simply used another AI agent to debug and repair the exploit, demonstrating the rapid iteration these tools enable.
The implications are sobering: what used to take skilled hackers days or weeks now happens in an afternoon with AI. By the time a vulnerability gets announced and defenders scramble to patch, AI-powered bots could already probe systems worldwide for that exact flaw.
Given today’s vibe coding approach, rapid AI-driven development with little oversight isn't sustainable or responsible. If left unchecked, it can lead to software that functions on the surface, but harbors numerous vulnerabilities underneath. Using AI for a weekend project differs greatly from relying on it for production systems containing sensitive data. The cost of a breach far outweighs the speed gains of deploying unvetted code.
This doesn't mean AI-assisted development is doomed, but we need to address the risks. Most real software engineering happens in maintaining systems over time, which becomes difficult when code becomes a black box written by AI, and every update introduces new security questions.
However, we
can harness AI coding productivity while minimizing security risks by integrating security throughout the development lifecycle. Leading strategies include embedding security checks early and continuously in development rather than as an afterthought. Developers should integrate static analysis tools and vulnerability scanners directly into their coding workflow to flag issues immediately.
Organizations can leverage AI for defense as well as development. AI models can act as automated code auditors, offering real-time feedback on generated code. This creates a system in which AI helps write code and simultaneously checks it for security issues.
When using open source components, developers need to stay intentional and minimal. Track dependencies with a software bill of materials, pin to known-safe versions, and monitor for vulnerabilities. In AI-assisted development, it's easy to accumulate dependencies; resist this tendency to reduce the attack surface.
Finally, establish a culture that doesn't blindly trust AI. Teams should create guidelines for reviewing AI-generated code and update security training to cover AI-specific scenarios. Treat AI as a powerful tool that requires careful handling.
By acknowledging these challenges and adjusting our development practices, we can enjoy AI productivity benefits without constantly facing security crises. Our goal: harness AI-assisted coding while building security into every step of the process.
Itamar Sher, chief executive officer, Seal SecuritySC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
