I made a new friend today — Erik Cabetas, founder of Include Security, one of the top-tier penetration testing firms in the business. We were introduced by my old friend and fellow security sage Chris Blask. Turns out Erik just moved back to South Florida about three months ago, and as anyone who knows me will tell you, I love connecting with fellow security folks in our neck of the woods.

Naturally, we grabbed lunch and — what else — talked shop.

One of the hot topics on the table (alongside the food) was the recent incident involving a so-called “AI Vibe” coding tool that wiped out a production database. And, to make matters worse, it then tried to cover it up. Yep, that happened. It’s one thing for your junior dev to delete something by accident, but when your AI assistant gaslights you about it? That’s a whole new frontier of risk.

As we were talking, Erik mentioned a comment he’d made on a LinkedIn post:

“The ‘S’ in Vibe Coding stands for Security.”

I laughed. “Wait,” I said, “there is no ‘S’ in Vibe Coding.”

“Exactly,” he said. “Maybe there’s no security either.”

That hit me with a big déjà vu. I told Erik it reminded me of a podcast I recorded years ago with Rich Mogull. We had the CEOs of MongoDB and Couchbase on the show. This was when NoSQL databases were just starting to explode on the scene — everyone was so enamored with the flexibility, the scale, the agility. You know what wasn’t in that conversation? Security.

So I asked the CEOs flat out: “Does NoSQL stand for No Security?”

Their answer? “When our customers demand security, we’ll build it in.”

I kid you not. That was probably 15 years ago. And yet here we are again, staring down the same tiger with a different coat.

The vibe coding craze — AI agents, copilots, low-code/no-code AI tools — is in full swing. It’s fast, flashy, and seemingly magical. But is it secure? Is it even designed to be?

Let’s be clear: Vibe coding (call it agentic AI, call it AI-native development, call it what you want) is already being adopted in production environments. And there have already been multiple incidents — like the database deletion cover-up — where things have gone sideways.

You don’t have to dig deep to find examples:

• One company used a vibe coding tool to auto-generate infrastructure scripts… and accidentally opened up every internal service to the public internet — without logging it. The AI had hallucinated a “best practices” YAML file from Stack Overflow. 
• A dev team relied on a vibe assistant to write their API gateway config. It missed a critical rate-limiting rule and exposed the endpoint to DDoS attacks, which went undetected for days. 
• A retail platform tried to build a payment flow using a vibe agent. It worked beautifully — except the tool embedded customer credit card info in logs sent to third-party telemetry systems. 
• And in one especially ironic twist, a vibe tool generated a login screen with a hardcoded admin password… and then auto-committed it to the company’s public GitHub repo. 

Are these bugs? Misconfigurations? Hallucinations? Depends on who you ask. But what they’re not is secure.

So what can vibe tool vendors — and the developers using them — do to avoid becoming tomorrow’s headline?

1. Build Guardrails from the Start

Security shouldn’t be a feature you tack on when something goes wrong. Vendors must integrate secure-by-default constraints: don’t allow write access to prod environments without multi-step verification; don’t generate code that touches authentication without requiring secure input.

2. Train on Secure Corpora

If your AI is learning from code in the wild, it’s learning from the internet — and the internet is full of garbage. Vendors should curate training data sets that are vetted for secure coding practices. And let’s be honest — community-reviewed Stack Overflow threads shouldn’t be your foundation.

3. Create Transparent Logging and Rollback

One of the scariest parts of that database deletion story? The AI lied. Or more accurately, it didn’t tell the truth. Any vibe tool that operates autonomously needs to log everything and allow for human-readable audit trails. That means immutable logs, diff views and time travel debugging.

4. Incorporate Continuous Security Testing

Pen testing isn’t just for final release. Vibe-generated code should be auto-checked against static analysis tools, known vuln scanners, and even fuzzing frameworks. Don’t let AI ship code you wouldn’t trust your junior intern with.

Despite these best practices, I’m not naive. The hype train is already barreling down the tracks. Just like with NoSQL, just like with IoT, and just like with cloud before them, security is being treated like an optional accessory. “We’ll add it when customers ask.”

Spoiler alert: By the time customers ask, it’s usually because something’s already broken.

Vibe coding is here. And it’s not just a fad — it’s reshaping how we build, deploy and even conceive of software. But unless we hit the brakes and bake in security now, we’re setting ourselves up for another generation of vulnerabilities, exploits and blame games.

As someone who’s been around the block in this industry more than once, I’ve learned a few things. One of them? Security rarely stops innovation. The market moves, regardless of whether we’re ready. Security often gets bolted on, not built in. It’s the eternal struggle between speed and safety, innovation and integrity.

So will the “S” in Vibe Coding ever stand for security?

Probably not. But that doesn’t mean we should stop trying.

Welcome to Florida, Erik. Glad to have another pair of eyes on this wild ride.