Vibe Coding: The Latest Trend in Open Source—But Not in a Good Way

Just like you likely don’t mill and process wheat to obtain flour for your bread, the majority of software developers do not craft every line of code in a new project from the ground up. This method would be exceedingly inefficient and could lead to more security vulnerabilities than it resolves. Instead, developers leverage existing libraries—often sourced from open-source projects—to establish fundamental software components.

Though this strategy is efficient, it may introduce risks and diminish transparency in software. However, the emerging trend of vibe coding is increasingly being utilized in a similar fashion, enabling developers to rapidly generate adaptable code instead of starting from scratch. Security experts caution, however, that this new form of plug-and-play code complicates and endangers software-supply-chain security.

“We’re reaching a moment where AI is about to lose its grace period concerning security,” states Alex Zenla, chief technology officer of cloud security company Edera. “AI poses the greatest threat to itself by producing insecure code. If AI is trained partly on outdated, vulnerable, or low-quality software, all existing vulnerabilities could resurface, and new issues may emerge as well.”

In addition to absorbing potentially insecure training data, vibe coding inherently generates a rough draft of code that might not fully consider the specific nuances and requirements of a particular product or service. This means that even if a company trains a local model based on a project’s source code along with a natural language outline of objectives, the production process ultimately depends on human reviewers to identify every possible flaw or inconsistency in AI-generated code.

“Engineering teams must rethink the development lifecycle in this era of vibe coding,” advises Eran Kinsbruner, a researcher at Checkmarx, an application security firm. “When you prompt the same LLM model to write for your specific source code, the output will vary slightly each time. One developer will generate one result, while another will produce a different one. This adds an extra layer of complexity beyond open source.”

In a Checkmarx survey conducted among chief information security officers, application security managers, and development leaders, one-third of respondents indicated that over 60 percent of their organization’s code was generated by AI in 2024. However, only 18 percent of these respondents reported having a list of approved tools for vibe coding. Checkmarx surveyed thousands of professionals and released the findings in August, also noting that AI development is complicating the tracing of “ownership” of code.