Treat AI-generated code as untrusted by default
Companies are using AI to produce code faster than they can consume it. FDM Group CISO Sawan Joshi shares his advice on protecting your estate in this new era.
Recently, at the RSAC conference in San Francisco, NCSC CEO Dr Richard Horne highlighted the cyber risks of “vibe coding” – the increasingly popular use of AI to write code, often without human review.
Experienced developers are starting to discover that vibe coding cuts weeks into hours when writing code, massively increasing their productivity. It has quickly emerged as one of the top AI buzz words.
However, while vibe coding is seen as a productive tool, companies are producing code faster than they can secure it. Most graduates entering the workforce today aren’t being trained to handle these risks, despite the AI approach becoming increasingly popular, leaving a generation underprepared for the cybersecurity challenges of tomorrow.
The security risks of the rising use of ‘vibe coding’
We’ve seen firsthand over the last year how cyber risks are now of greater consequence than ever before, as increased exposure, inherent vulnerability and the explosion of AI make attacks harder to detect and defend against.
The first key vulnerability when it comes to vibe coding is the lack of any human review. The code produced is often far from perfect, and there is a lot for the developer to improve. In fact, recent research found that nearly half of all AI-generated code contains security flaws, with no improvement across larger or newer models.
Vibe coding skips too many steps. Developers are using AI to write code fast, often without reviewing it or having a clear understanding of what it’s doing. This could leave code wide open for attacks, including vulnerabilities such as injection flaws, poor authorisation, missing validation and hardcoded secrets.
The Graduate Cybersecurity Gap
Despite the rise of vibe coding, there is a clear cybersecurity knowledge gap when it comes to these AI methods and tools. Most new graduates breaking into the workforce may lack training and awareness in secure coding, cybersecurity and safe AI use.
Research from the 2025 Cyber security skills in the UK labour market analysis highlighted that the skills gap in basic cyber security and incident response remained a consistent issue. Almost half (49%) of businesses struggle with essential tasks like setting up firewalls, managing personal data securely and detecting malware.
There is an ongoing need for basic advice and guidance, particularly for smaller organisations outside the cyber security sector, where difficulties meeting standard security requirements are greater.
Amid the ever-growing rise of AI in the workplace, tackling the cyber security skills gap is a top priority in the UK, and graduates must be at the forefront of this effort. Educating and upskilling them on the security risks of AI-driven tools and methods is essential to prevent vulnerabilities before they arise.
The cybersecurity challenges of tomorrow
Currently, vibe coding allows programmers to create software and apps with limited training and skills, lowering costs and boosting efficiency. In order to secure vibe coding best practice, firms should treat AI-generated code as untrusted and ensure robust human oversight, with review gates and automated security testing in place.
On top of this, governance frameworks must define where and how AI tools can be used, who can approve AI-generated code, and accountability structures linking AI actions to specific humans. Security hygiene practices, such as input sanitisation, parameterised queries, avoiding hardcoded secrets and keeping dependencies up to date are essential.
Organisations must adopt a cautious, phased approach, starting with non-critical systems and continuously monitoring code security in staging and production environments.
Educating teams on proper AI use, prompt hygiene, and secure coding practices will help prevent vulnerabilities before they reach production. While vibe coding offers transformative potential, its rapid adoption without these safeguards could expose businesses to substantial security, compliance and operational risks
If we fail to train and educate today’s graduates with this knowledge, the future of software security, and the safety of businesses, could face lasting damage.
Sawan Joshi is Chief Information Security Officer at FDM Group
Leave a comment