How do you make sure your products are secure after vibecoding it entirely or partially?
After using a lot of AI-generated code lately, I've found myself spending a lot of hours on checking and repairing a lot of easy-to-spot security flaws. That being said, AI generally sucks at actually implementing secure code (or architectures), as well as recommending what to do to make your app more secure (sometimes even decently secure).
Have you had this problem as well? If yes, how do you tackle it?
P.S. As a fun fact, I remember an year ago implementing an Elastic database that I secured with a pretty weak password. It wasn't a production one, but it was available to the internet without any kind of VPN/secure connection. It got hacked in less than a week, from random bots on internet. Good thing it only had mock data.
AI didn't even tell me I had to put a password over it as it had a random ip and port, let alone take any other measures. Of course, until I purposefully asked about it.
Replies
Hey, I guess there's AI to identify security breach (don't have any name, but i feel I've already see that) but yeah Cursor don't really have an agent to identify that (if you are using this).
Personally, I got a software engineer in my team so it helps. but since we use basic solutions (Vercel, Supabase, Cloudfare...) there is a pretty good basic protection.
And final test is to ask a software engineer to try injections or other easy way to hack your app.
@jean_willame Just started using cursor on the free trial, been using a lot of different agents for inline-coding lately. I'm not sure I'll continue using it, as github copilot just got open sourced.
Regarding the final test, good idea.
Have you guys identified many security risks from the AI-written code in your projects?
@aeromaniax Ah why don't you like Cursor ? Is it just feeling ?
Yeah actually our app got several risky behavior, especially dev by vibe coders on our team.
We are actually working to create a true workflow with AI for the PR reviews + implementing automated tests in order to not create vulnerabilities and keep the app clean in prod. Automated tests are really important when you work with AI I would say.
StreamAlive
The only way to truly know is to recheck the code yourself, after AI has written it.
Kalyxa
Totally relate. AI is great for speed, but security is where you must slow down. I treat AI output as a draft—then layer in manual code reviews, threat modeling, and automated security scanners. “Vibecoding” ends where the attack surface begins.
It's it just me or reviewing every single line of generated code is the only way?
Also, being as much as serverless possible helps..
LLM generated code is low quality in general, so I break up my work in tasks and subtasks. After each subtask I review the code for inefficiencies and security issues.
I always use git. Create a feature branch for each task so that code changes are easily tracked. The key is to keep code changes small within each branch so they are easy to review. I commit to the feature branch after each subtask is complete. Don't merge to main until it passes unit testing
Great question. You can improve product security by layering in validation agents.
At FuseBase, for example, we’ve built AI Agents that can:
– Review shared code for common vulnerabilities
– Flag insecure patterns (like exposed API keys)
– Connect via MCP to tools like Snyk or GitHub Actions for deeper scans
Long story short: you can customize these flows without writing a line of code — and use them right from our browser extension.
Security should scale with your speed - not slow it down.
btw - we are launching today https://www.producthunt.com/products/fusebase