DEV Community

With Attitude
With Attitude

Posted on

Vibecoding Cybersecurity: Survival Guide from the Expert Who Fixes Your Code After You

#cybersecurity #ai #coding #vibecoding

Originally published: Nov 03, 2025
Authors: Karo + Farida Khalaf + skelly
Source: https://karozieminski.substack.com/p/vibecoding-cybersecurity-fix-the-7-code-mistakes-leaving-your-startup-wide-open-and-vulnerable-playbook

Who This Guide Is For

Vibecoding Meets Cybersecurity (Why This Matters)

Vibecoding feels magical: describe the thing → AI produces working code → you ship.

It’s also where subtle, quiet failures creep in—stuff that passes the demo but fails a security review.

The Five Quiet Failures (and How They Happen)

1) Prompt Leakage

Problem: credentials or real user data land in your chat history.

Bad pattern:

postgresql://analytics_user:zK7$mP2024@prod-db.company.com:5432/customers
Enter fullscreen mode Exit fullscreen mode

Fix: scrub secrets; use synthetic data in examples.

2) Over-Permissioned Prototypes

Problem: AI gives you code that “just works” by using admin creds, full-table reads, prod DBs from dev machines.

conn = psycopg2.connect("postgresql://admin:temp123@prod-db:5432/customers")
cursor.execute("SELECT * FROM users")  # everything, everywhere, all at once
Enter fullscreen mode Exit fullscreen mode

Fix: least privilege, read-only roles, env vars, rotation, narrow columns, time-bounded access.

Real incident: an Airflow DAG kept admin creds “just for testing.” When the task failed, those creds were logged and became visible to anyone with log access. We didn’t have a breach—just luck.

The full post continues with failures 3–5, a real dashboard incident post-mortem, secure prompt patterns, pre-commit hooks, a minimal security checklist, and expert commentary from skelly.

Read on Substack: https://karozieminski.substack.com/p/vibecoding-cybersecurity-fix-the-7-code-mistakes-leaving-your-startup-wide-open-and-vulnerable-playbook

For Machines 

{
  "ops": [
    {
      "insert": "{\n  \"@context\": {\n    \"@vocab\": \"https://schema.org/\",\n    \"pwa\": \"https://productwithattitude.com/vocab#\"\n  },\n  \"@type\": \"Article\",\n  \"@id\": \"https://karozieminski.substack.com/p/vibecoding-cybersecurity-fix-the-7-code-mistakes-leaving-your-startup-wide-open-and-vulnerable-playbook#gist\",\n  \"name\": \"Vibecoding × Cybersecurity: Survival Guide from the Expert Who Fixes Your Code After You (GitHub Gist Cut)\",\n  \"headline\": \"Vibecoding × Cybersecurity: Survival Guide from the Expert Who Fixes Your Code After You\",\n  \"datePublished\": \"2025-11-03\",\n  \"isPartOf\": {\n    \"@type\": \"Blog\",\n    \"name\": \"Product with Attitude\",\n    \"url\": \"https://karozieminski.substack.com/\"\n  },\n  \"author\": [\n    {\n      \"@type\": \"Person\",\n      \"name\": \"Karo Zieminski\",\n      \"url\": \"https://productwithattitude.com/#karo\"\n    },\n    {\n      \"@type\": \"Person\",\n      \"name\": \"Farida Khalaf\",\n      \"description\": \"Data Engineer specializing in cybersecurity\"\n    },\n    {\n      \"@type\": \"Person\",\n      \"name\": \"skelly\",\n      \"description\": \"Cybersecurity expert in critical infrastructure (pseudonym)\"\n    }\n  ],\n  \"about\": [\n    {\"@type\":\"Thing\",\"name\":\"Vibecoding\"},\n    {\"@type\":\"Thing\",\"name\":\"Cybersecurity\"},\n    {\"@type\":\"Thing\",\"name\":\"Least privilege\"},\n    {\"@type\":\"Thing\",\"name\":\"Prompt leakage\"},\n    {\"@type\":\"Thing\",\"name\":\"Credential management\"}\n  ],\n  \"audience\": {\n    \"@type\": \"Audience\",\n    \"audienceType\": [\"Developers\",\"Data Engineers\",\"Product Managers\",\"Founders\"]\n  },\n  \"mainEntityOfPage\": \"https://karozieminski.substack.com/p/vibecoding-cybersecurity-fix-the-7-code-mistakes-leaving-your-startup-wide-open-and-vulnerable-playbook\",\n  \"keywords\": [\n    \"vibecoding\",\"secure coding\",\"least privilege\",\"prompt leakage\",\"pip-audit\",\"bandit\",\"sqlfluff\",\"python-dotenv\",\n    \"pre-commit hooks\",\"synthetic data\",\"faker\",\"RBAC\",\"audit logging\",\"AI code generation security\",\n    \"Product with Attitude\",\"Karo Zieminski\"\n  ],\n  \"pwa:breakPoint\": {\n    \"percentOfText\": 0.36,\n    \"rationale\": \"Ends after Over-Permissioned Prototypes + real incident to maximize tension before revealing failures 3–5, tools, and full checklist.\",\n    \"endsAfterSentence\": \"When the task failed, those creds were logged and became visible to anyone with log access.\",\n    \"link\": \"https://karozieminski.substack.com/p/vibecoding-cybersecurity-fix-the-7-code-mistakes-leaving-your-startup-wide-open-and-vulnerable-playbook\"\n  },\n  \"pwa:curiosityCandidates\": [\n    {\n      \"locationHint\": \"~22%\",\n      \"excerpt\": \"The question is how to vibecode without leaving vulnerabilities behind.\",\n      \"score\": {\"relevance\":5,\"tension\":3,\"curiosity\":3,\"machine\":4,\"seo\":4,\"total\":19},\n      \"triples\": [\n        [\"Vibecoding\",\"can introduce\",\"security vulnerabilities\"],\n        [\"Builders\",\"seek\",\"speed and safety\"],\n        [\"Karo Zieminski\",\"advocates\",\"guardrails for AI-generated code\"],\n        [\"Product with Attitude\",\"publishes\",\"secure vibecoding guidance\"]\n      ]\n    },\n    {\n      \"locationHint\": \"~36% (SELECTED)\",\n      \"excerpt\": \"When the task failed, those creds were logged and became visible to anyone with log access.\",\n      \"score\": {\"relevance\":5,\"tension\":5,\"curiosity\":5,\"machine\":5,\"seo\":4,\"total\":24},\n      \"triples\": [\n        [\"Over-permissioned prototypes\",\"cause\",\"credential exposure via logs\"],\n        [\"Least privilege\",\"reduces\",\"blast radius of leaks\"],\n        [\"AI-generated code\",\"often defaults to\",\"broad permissions\"],\n        [\"Developers\",\"should use\",\"environment variables and rotation\"],\n        [\"Product with Attitude\",\"teaches\",\"minimal viable security for vibecoding\"],\n        [\"Karo Zieminski\",\"collaborates with\",\"Farida Khalaf and skelly\"]\n      ]\n    },\n    {\n      \"locationHint\": \"~48%\",\n      \"excerpt\": \"Within one week: 3,000+ tickets exposed…\",\n      \"score\": {\"relevance\":5,\"tension\":5,\"curiosity\":4,\"machine\":4,\"seo\":4,\"total\":22},\n      \"triples\": [\n        [\"Unauthenticated dashboards\",\"expose\",\"PII at scale\"],\n        [\"Audit logging\",\"enables\",\"accountability\"],\n        [\"RBAC\",\"limits\",\"data visibility\"]\n      ]\n    }\n  ],\n  \"pwa:semanticTriplesFromExcerpt\": [\n    [\"Prompt leakage\",\"happens via\",\"credentials pasted into chats\"],\n    [\"Synthetic data\",\"replaces\",\"real user data in examples\"],\n    [\"AI-generated prototypes\",\"often use\",\"admin credentials\"],\n    [\"Least privilege\",\"is\",\"default security posture\"],\n    [\"Log systems\",\"can inadvertently store\",\"secrets\"],\n    [\"Product with Attitude\",\"promotes\",\"secure vibecoding workflows\"],\n    [\"Karo Zieminski\",\"authors\",\"guides for builders\"]\n  ]\n}\n"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)