Vibecoding x Cybersecurity: Survival Guide by the Expert Who Fixes Your Code After You

Don’t ship your next feature without these safety checks and fix the 7 code mistakes leaving your startup wide open.

Hey, I’m Karo 🤗
I’m an AI product manager and creator of StackShelf.app. I build with AI every day, and spend a good chunk of time teaching others how to do it right.

The cybersecurity critics of vibecoding are right about the risks.
They’re just wrong about the solution.
The answer isn’t “don’t vibecode at all.”
It’s “vibecode responsibly, with solid engineering foundations.”

If you’re new here, welcome! Here’s what you might’ve missed:
Vibecoding Tips: The Ultimate Collection
Claude Skills Are Taking the AI Community by Storm
10x Your Productivity with Perplexity Comet: 11 Use Cases from “Nice” to “Wow!”

The cybersecurity critiques of vibecoding are valid.
So instead of debating them, I partnered with an expert to map the absolute minimum you need to consider when coding with AI.

Today’s guide was authored by the brilliant

Farida Khalaf

, a Data Engineer specializing in cybersecurity. I met Farida here on Substack. She’s one of those rare writers you follow after one post, and for me, that post was this one: There’s No Real Money in AI Business, Just Rented Dreams and Delusional Valuations.

We’ve also included a bonus commentary from

skelly

, a cybersecurity expert specializing in critical infrastructure.

Together, we’ll show you how to vibecode fast and securely, with practical examples, and a minimal security checklist you can actually follow.

Who This Guide Is For

You should read this if:

• You’ve read the Ultimate Collection of Vibecoding Tips.

• You use AI to generate code.

Enjoy!

---

Vibecoding Meets Cybersecurity: Notes from the Expert Who Fixes Your Code After You

I build data pipelines and analytics tools, often at speed, sometimes at 2 AM when inspiration strikes. I’ve also cleaned up security incidents that started with “I just needed to test something quickly.”

That tension between moving fast and staying secure isn’t theoretical for me, it’s the daily reality of building with data.

Vibecoding is often done based on intuition and speed rather than meticulous planning. You describe what you want, the AI generates working code, and within minutes you have a functioning app.

It’s powerful, addictive, and without guardrails - dangerous.

The question is how to vibecode without leaving vulnerabilities behind.

---

The Five Quiet Failures

Vibecoding doesn’t fail with sirens and red alerts. It fails quietly, in ways that don’t surface until a security review.

1. Prompt Leakage

⚠️ The problem: Accidentally sending production credentials to a third party.

🧐 Scenario 1:
You’re debugging a failed connection and paste this into ChatGPT:

Help me debug: 
Error: Connection failed
postgresql://analytics_user:zK7$mP2024@prod-db.company.com:5432/customers

Congratulations, you just sent production credentials to a third party.

🛠️ How to fix: Always scrub before sharing.
Scrubbing = removing sensitive information before you share data.

---

🧐 Scenario 2:
You’re trying to retrieve all the data for a customer from your database, but it doesn’t work.

❌ BAD: Pasting real data into AI chat
Why doesn’t this work? SELECT * FROM customers WHERE email=’john.doe@realcompany.com

✅ GOOD: Use synthetic data for debugging
Why doesn’t this work? SELECT * FROM customers WHERE email=’user1@example.com’

---

2. Over-Permissioned Prototypes

⚠️ The problem: AI generates code that works immediately by requesting broad permissions.

🧐 Scenario:
You’re trying to read the entire users table from the PostgreSQL database called customers for analysis, monitoring, or to display in your app.

import psycopg2

conn = psycopg2.connect(

“postgresql://admin:temp123@prod-db:5432/customers”

)

cursor = conn.cursor()

cursor.execute(”SELECT * FROM users”) # All columns, all rows

rows = cursor.fetchall()

cursor.close()

conn.close()

What’s wrong:

• Admin credentials in code

• Full table access when you only need recent records

• Production database accessed from development code

• No credential expiration or rotation mechanism

🛠️ How to fix:

📒 Real incident: A colleague’s Airflow DAG had database admin credentials “for testing.” When the DAG failed, those credentials appeared in our centralized logging system visible to everyone with log access.

---

3. The Prototype That Never Dies

⚠️ The problem: Internal tools are often left unsecured, creating serious vulnerabilities.

🧐 Scenario: You build a “quick internal dashboard” with no authentication. Three months later, it’s been bookmarked, shared in Slack, and someone’s accessing it from airport WiFi.

Reality check: “Internal only” is a wish, not a security control.

---

4. Unverified Dependencies

⚠️ The problem: Installing dependencies without checking if they’re safe or updated.

🧐 Scenario: AI suggests installing pandas, sqlalchemy, data-utils, query-helper. You install without checking. Three are legitimate. One was abandoned in 2020 with critical vulnerabilities.

🛠️ How to fix: Run a quick safety check:

pip show package-name # Check last update date and info

pip-audit # Scan installed packages for vulnerabilities

---

5. Hidden Credential Persistence

⚠️ The problem: Test tokens often outlive their purpose, quietly spreading across tools and repos until they become full-blown security leaks.

🧐 Scenario: Your test API token is now living in:

• Slack messages where you asked for help

• Log files from three months ago

• Clipboard manager history

• .bash_history

• Jupyter notebooks committed to Git

🛠️ How to fix: Set aggressive expiration times. If it’s for testing, one hour is plenty.

📒 Case Study: The Dashboard That Worked Too Well

A colleague vibecoded a support ticket dashboard using Claude. From idea to working prototype: two hours.

from flask import Flask, jsonify

import psycopg2

app = Flask(__name__)

@app.route(”/api/tickets”, methods=[’GET’])

def get_tickets():

conn = psycopg2.connect(”postgresql://readonly:pass123@db:5432/support”)

cursor = conn.cursor()

cursor.execute(”SELECT * FROM support_tickets”)

tickets = cursor.fetchall()

cursor.close()

conn.close()

return jsonify(tickets)

if __name__ == ‘__main__’:

app.run(host=’0.0.0.0’, port=5000) # Accessible from anywhere

Clean. Simple. Fast. The team loved it.

Within one week:

• 3,000+ tickets exposed: including customer credit cards and internal complaints

• No authentication: anyone with the URL could access it

• No access control: every user saw every ticket

• Hardcoded credentials in source code

• No audit trail: we couldn’t track who accessed what

How We Found Out:
Our security team discovered it during a routine audit. We were lucky. The potential GDPR violation could have resulted in fines of €20,000-€200,000 based on similar incidents.

🛠️ How to fix: Use better, more secure prompts. See A Minimal Flask API Template That Actually Protects You.

The Lesson

Speed amplifies assumptions. AI gave us exactly what we asked for: an endpoint that returns tickets. But it didn’t know:

• Tickets contain sensitive data

• Users should only see their assignments

• Access should be authenticated and logged

The AI wasn’t wrong, our prompt was incomplete.

The fix took 30 minutes. The potential damage would have taken months to recover from.

Better Prompts = Better Security

The fastest way to secure vibecoding is better prompts.

Example 1:

❌ Vulnerable Prompt

“Create a Flask API that returns user data from PostgreSQL”


✅ Secure Prompt

“Create a Flask API that returns user data from PostgreSQL with:

- Environment variables for database credentials (using python-dotenv)

- Basic HTTP authentication with password verification

- Role-based access control (admin sees all users, regular users see only their data)

- Parameterized queries to prevent SQL injection

- Audit logging for all data access

- Return only necessary columns (id, email, created_at), not full records

- Proper connection closing to prevent resource leaks”

Example 2:

❌ Vulnerable Prompt

Write an Airflow DAG to sync user data daily.


✅ Secure Prompt

Write an Airflow DAG to sync user data daily with:

- PostgresHook for credential management (no hardcoded passwords)

- Incremental sync using last_modified timestamp (only records changed since last run)

- Read-only database connection with minimum required permissions

- Error handling with exponential backoff retry logic

- Data validation before insert (check for required fields, data types)

- Logging that doesn’t expose PII (log row counts, not actual data)

- Connection pooling with proper cleanup

Four Essential Security Tools

1. Pre-Commit Security Scanning

Tools:

• bandit - scans Python code for security issues like hardcoded passwords, SQL injection, and insecure random number generation.

• pip-audit - checks your installed packages against a database of known vulnerabilities.

Example use:

# Install security tools once

pip install bandit pip-audit sqlfluff

# Run before every commit

bandit -r . -x ./venv,./tests # Find hardcoded secrets, SQL injection patterns

pip-audit # Check for vulnerable dependencies

sqlfluff lint . # Validate SQL queries (if you have .sql files)

---

2. Credential Management

🛠️ Tools:

• .gitignore - this is a file that tells your project which files or folders should be left out when you save or share your work using Git.

👇 Example:

# .env file (MUST add to .gitignore!)

DATABASE_URL=postgresql://localhost:5432/dev_analytics

API_KEY=sk-test-development-only

ENVIRONMENT=development

# Your Python code

import os

from dotenv import load_dotenv

# Load environment variables from .env file

load_dotenv()

# Validate required secrets exist

required = [’DATABASE_URL’, ‘API_KEY’]

missing = [var for var in required if not os.getenv(var)]

if missing:

raise ValueError(f”Missing required environment variables: {missing}”)

# Access credentials safely

DATABASE_URL = os.getenv(”DATABASE_URL”)

API_KEY = os.getenv(”API_KEY”)

---

3. Synthetic Data for Testing

🛠️ Tools:

• faker - Faker is a tool that creates fake, but realistic-looking data for testing

👇 Example:

from faker import Faker

import pandas as pd

fake = Faker()

def create_test_data(rows=1000):

“”“Generate synthetic data - never use production data for testing”“”

return pd.DataFrame({

‘user_id’: range(1, rows + 1),

‘email’: [fake.email() for _ in range(rows)],

‘name’: [fake.name() for _ in range(rows)],

‘created_at’: [fake.date_time_this_year() for _ in range(rows)]

})

# Use for all development and debugging

test_df = create_test_data()

print(f”Created {len(test_df)} test records”)

4. Automated Pre-Commit Hook

From Karo: An automated Pre-Commit Hook is a small script that automatically runs checks every time you try to save your changes in a coding project.

Save your file in the right spot, as .git/hooks/pre-commit, and tell your computer it’s allowed to use it whenever you save your work (chmod +x .git/hooks/pre-commit).

#!/bin/bash

set -e # Exit on first error

echo “Running security checks...”

# Check for credentials in staged files

if git diff --cached | grep -E “password|api[_-]?key|secret|token” -i; then

echo “❌ Possible credentials detected in staged files!”

echo “Remove credentials and use environment variables instead.”

exit 1

fi

# Check for data files that shouldn’t be committed

if git diff --cached --name-only | grep -E “\.csv$|\.xlsx$|\.db$|\.sqlite$”; then

echo “⚠️ Data files detected. Continue? (y/n)”

read -n 1 -r

echo

[[ ! $REPLY =~ ^[Yy]$ ]] && exit 1

fi

# Verify security tools are installed

command -v pip-audit >/dev/null 2>&1 || {

echo “❌ pip-audit not installed. Run: pip install pip-audit”;

exit 1;

}

command -v bandit >/dev/null 2>&1 || {

echo “❌ bandit not installed. Run: pip install bandit”;

exit 1;

}

# Run security scans on Python files

if git diff --cached --name-only | grep -q “\.py$”; then

echo “Running pip-audit...”

pip-audit --quiet || exit 1

echo “Running bandit...”

bandit -r . -q -x ./venv,./tests || exit 1

fi

echo “✅ Security checks passed”

---

The Minimal Security Checklist

Note from Karo: If you’re not familiar with the term “commit”, this free guide will help.

1. Before Your First Commit

• Create .env with all credentials

• Add .env to .gitignore

• Verify git status (should NOT show .env)

• Replace any hardcoded credentials with os.getenv()

2. Before Every Commit

• Run: bandit -r . -x ./venv

• Run: pip-audit

• Search code for: password, api_key, secret, token

• Always review AI-generated database code to make sure it can’t be abused, and use safe techniques (like parameterized queries) to protect your data.

3. Before Sharing Internally

• Add authentication, even for “internal” tools

• Implement role-based access control

• Add audit logging for data access

• Test with synthetic data only

4. Before Production

• Security review by second person

• Apply least-privilege to all database roles

• Set up monitoring and alerting

• Remove all debug code and print statements

• Document what’s NOT secured yet

• Test credential rotation procedures

When to Vibecode (Decision Matrix)

Not every build is vibecode-friendly. Here’s how to know when to roll with it, and when to step back.

Build Type Safety Guidelines

Some additions from Karo:

• Use AI coding tools for standard patterns and boilerplate, not for architectural decisions or innovation.

• Keep human oversight for any critical or novel tasks.

Resources Worth Bookmarking

• Security scanning

  • bandit – Scans Python code for common security flaws before they reach production.

    • 🎓 Official docs

  • pip-audit – Checks your project’s dependencies for known vulnerabilities and outdated packages.

    • 🎓 Official docs.

  • sqlfluff – Lints and formats SQL to catch risky queries or style issues early.

    • 🎓 Official Docs

• Credential management

  • python-dotenv – Loads environment variables from a .env file so you never hardcode credentials.

    • 🎓 Official Docs

• Testing data

  • faker – Generates realistic fake data for testing without exposing real user info.

    • 🎓 Official Docs

  • mimesis – Another synthetic data generator, with more localization and domain-specific options.

    • 🎓 Official Docs

• Pre-commit hooks

  • .git/hooks/pre-commit – Runs automated checks (like linting or tests) before you can commit, enforcing safety and consistency at the source.

  • 🎓 Official Docs

The gaps are probably your next security vulnerabilities. Fill them before someone else does.

---

Bonus: Skeptics, Builders, and Pragmatists: The Three Roles Every Product Team Needs

From Karo:

While researching this piece, I reached out to several experts. One of them,

skelly

, asked to stay anonymous due to their work in critical infrastructure systems.

When we first talked,

skelly

said something along the lines of, “I’m too skeptical for this piece.”

Perfect. That’s exactly who we needed.

If we’re going to learn anything real, we need this friction.

• Optimists show us what’s possible,

• Skeptics reveal the cracks that make it dangerous,

• Pragmatists bridge the gap between the two.

Skeptics are the immune system of innovation.
Without the “it can’t be done” crowd, innovation becomes blind faith.
Without the “here’s how it can be done” builders, progress stops at fear.

skelly

’s words below:

The Hidden Security Risk: Untested Functionality

There’s a more insidious risk that emerges from vibecoding’s accessibility: the absence of systematic testing creates a blind spot where functional bugs become security vulnerabilities.

Many vibecoding practitioners lack formal software engineering backgrounds and may not instinctively think in terms of test-driven development, code coverage, or quality assurance pipelines.

This gap is particularly dangerous because a subtle logical error (an off-by-one error in permission checking, or incorrect data validation that passes superficial inspection) can create exploitable weaknesses that are far harder to detect than obvious security anti-patterns.

When an application appears to work during happy-path testing but fails under edge cases, you’ve created a security vulnerability that won’t show up in any static analysis tool.

Take medical applications as an example. The yoga injury app that provides incorrect treatment guidance isn’t just a UX problem, it can cause real harm.

In regulated industries, that harm carries legal liability equivalent to a data breach.

The solution requires meeting vibecoders where they are while gradually elevating their practices.

1. Addressing The Gaps Through Prompt Engineering

Prompting can bootstrap a testing culture even among those unfamiliar with these concepts:

Examples of what to ask the AI to explicitly request test generation alongside implementation.

# Example 1
Write unit tests covering edge cases, error conditions, and security-relevant boundaries.

# Example 2
Generate property-based tests for input validation.

# Example 3
Apply test-driven development approach: write failing tests first, then implement.

# Example 4
Include integration tests that verify security controls  actually prevent unauthorized access.

2. Addressing The Gaps Through Better Tooling

However, prompts alone aren’t sufficient. The ecosystem needs better tooling that makes testing unavoidable rather than optional.

This could involve:

• AI coding assistants that refuse to mark a feature “complete” without accompanying tests.

• AI coding assistants that automatically generate test stubs that developers must either implement or explicitly skip with justification.

For LLM-integrated applications, where behavioral predictability is inherently limited, the testing challenge intensifies.

You need not just unit tests but also validation frameworks that check for hallucinations, prompt injections, and unexpected model outputs.

The security community should advocate for treating test coverage as a security control itself. Confidence in your application’s correct behavior under all conditions is the foundation upon which all other security measures rest.

Final Thoughts

Vibecoding with AI is not inherently insecure.
Vibecoding without thinking is.

Before you accept AI-generated code, ask:

Before You Accept AI-Generated Code, Ask Yourself:

1. Who can access this?
Only authenticated, authorized users should have access. Never assume “internal” means secure.

2. Is there an audit trail?
There must always be a verifiable way to track who did what, when, and from where.

3. What data is exposed?
Expose only the minimum required information. Every extra column, log, or debug printout is a potential liability.

4. Where are the credentials?
They belong in environment variables, secret managers, or vaults: never in code, configs, or chat prompts.

5. What happens if this leaks?
Design for failure. Assume credentials will leak and make sure the blast radius is minimal: short-lived tokens, read-only roles, and clear rotation policies.

6. What’s untested?
Every untested function is a potential vulnerability. Tests aren’t just about correctness, they’re a security control.

7. Does it fail safely?
When things break (and they will), does the system fail closed or fail open?
Failing open is convenient - until it’s catastrophic.

The 30 minutes you invest in security now will save you 30 hours of incident response later.

Additional Resources

• Best Vibecoding Guides & Prompts

• Prompt Pack: 100 Most Common UI Elements For Vibecoders

• PRD Template and Self-Auditing Prompt

• GitHub Setup for Complete Beginners

---

Join hundreds of Premium Members and unlock everything you need to build with AI. From prompt packs and code blocks to learning paths, discounts and the community that makes it so special.

WHY SUBSCRIBE ・LEARNING PATHS・ PREMIUM RESOURCES・ TOOLS ・TESTIMONIALS

---

You Might Also Enjoy

Vibecoding Our Way to a Breach by

Damien Lewke

Vibecoding + Cybersecurity: The Good, The Bad, and The Ugly by

Damien Lewke

Human in the Loop: Before it’s Too Late by

ToxSec

How Attackers Are Using TikTok Videos by

Rohit Tamma

Tricking ChatGPT to Silently Steal User Emails by

Rohit Tamma

AI in Cybersecurity: Benefits, Strategies & Future Trends by

Rahul Dogra

Vibecoding Conundrums by

Chris Hughes

Secure Vibecoding: Level Up with Cursor Rules and the R.A.I.L.G.U.A.R.D. Framework by

Ken Huang

Community Updates

👉

Billie Moon

won Silver in the 2025 Moonbeam Children’s Book Awards for Best Writer/Illustrator!

🚀 StackShelf is buzzing with new launches:

• Kamil Banc
  : free Gmail Signature Generator and an AI Prompt Manager extension

• Rohit Kumar Tiwari
  : three free Machine Learning guides

• Anfernee
  : Substack Accelerator Kit

• Adler Hsieh
  : Engineering Leadership coaching session

• Jose Antonio Morales
  : ‘“Fear Enough” book

• Jakub Slys 🤖
  - free automations for Substack writers

Comments

[Lulu not Lemon]

Great piece. I’ve been waiting for someone to tackle this unglamorous but important topic. I appreciate that you consistently share multiple perspectives, not just your own. I subscribed to Farida and Skelly as well.

[ToxSec]

Fantastic work. Added a subscriber here. Also you structured this in a really readable way, thanks for that.