Just like you probably don’t grow and grind wheat to make flour for your bread, most software developers don’t write every line of code in a new project from scratch. Doing so would be extremely slow and could create more security issues than it solves. So developers draw on existing libraries\u2014often open source projects\u2014to get various basic software components in place.<\/p>\n
While this approach is efficient, it can create exposure and lack of visibility into software. Increasingly, however, the rise of vibe coding<\/a> is being used in a similar way, allowing developers to quickly spin up code<\/a> that they can simply adapt rather than writing from scratch. Security researchers warn, though, that this new genre of plug-and-play code is making software-supply-chain security even more complicated\u2014and dangerous.<\/p>\n \u201cWe’re hitting the point right now where AI is about to lose its grace period on security,\u201d says Alex Zenla, chief technology officer of the cloud security firm Edera. \u201cAnd AI is its own worst enemy in terms of generating code that\u2019s insecure. If AI is being trained in part on old, vulnerable, or low-quality software that’s available out there, then all the vulnerabilities that have existed can reoccur and be introduced again, not to mention new issues.\u201d<\/p>\n In addition to sucking up potentially insecure training data, the reality of vibe coding is that it produces a rough draft of code that may not fully take into account all of the specific context and considerations around a given product or service. In other words, even if a company trains a local model on a project’s source code and a natural language description of goals, the production process is still relying on human reviewers’ ability to spot any and every possible flaw or incongruity in code originally generated by AI.<\/p>\n \u201cEngineering groups need to think about the development lifecycle in the era of vibe coding,\u201d says Eran Kinsbruner, a researcher at the application security firm Checkmarx. \u201cIf you ask the exact same LLM model to write for your specific source code, every single time it will have a slightly different output. One developer within the team will generate one output and the other developer is going to get a different output. So that introduces an additional complication beyond open source.\u201d<\/p>\n