Vibecoding Promise and Peril

[Music] Thanks for coming out. Thanks for sticking around. Uh my name is Alex. Uh working for a little company called Corridor. Here to talk a little bit about vibe coding, some of the fascinating things going on from a security perspective. Uh first off, I'm actually a big fan of using AI to do code generation. And I think this is an incredible opportunity for people to utilize computers in a way they never

have. Bunch of professional software developers in the room. So, you know, those of us who grew up writing code, who grew up using computers from a command line or coding them from an early age, we don't really understand what this means for normal people. But for the first time ever, normal people are going to be able to utilize computers how they really should have been available to people for a long period of time, right? Like coding is a

superpower. Being able to ask computers to do things without having to buy software or use open source or to get other people to write code for you, that is a superpower. And vibe coding is bringing that to millions of people. So that is an incredible thing. We should be super happy that we're at the start, the very start of this revolution that is going to bring accessibility to everybody. It's also an amazing foot gun. And foot gun is probably actually an understatement. It's like a foot bazooka

that we're giving to all these people. There are example after example after example out there of bad things that are happening to normal people when they are vibe coding apps. Some of which are just fun little things like their their kids little league scheduler uh or things that they're putting their personal data in. Some people are vibe coding uh medical record systems or bitcoin systems or things that are are holding

uh personal data or taking people's credit card numbers or storing people's driver's licenses. Um there's tons of examples of people using vibe coding apps to create things that are important. Uh perhaps uh some competing platforms that shall not be named but whose names are very visible uh and obvious behind me uh are making this especially bad because they're using uh very poor defaults uh and not making this easy for folks and making it really easy for them to to use uh really bad uh default configurations of things like

Superbase which isn't Superbase's fault. It's just that the way that the vibe coding platform, some other platforms that do not configure these things by default securely. Um, this is not great. Uh, and not even in the situation where we're not talking about uh just straight vibe coding on a platform. Uh, but professionals utilizing we actually have good empirical uh academic data on this. This is an excellent paper I recommend you read called Backspench. A academic group went and created a bunch of

prompts that they went out that they thought, huh, here are prompts for coding agents that we think might create back-end code that could have security vulnerabilities. And then they tested these prompts against a bunch of coding tools and LMS uh to see and then they tested one whether the code generated was correct and two whether it had security flaws. Um, and to their credit, they actually keep on updating this as new models come out, uh, and publish it. Uh, you can go check this out. Um, and

as you might expect, LM actually introduce one, make a lot of mistakes, but also introduce lots of flaws. Now, this is trending the right way, and you don't have to take pictures of this. You can go to backspens.com and get a much easier to read uh, version. Um, also, all their code is open source, so you can recreate this yourself. So one, this is trending the right way, right? So if you look even within a family of products. So like if you look at like the of OpenAI's family of products, it's