Vibe Coding: Will your Drag-and-Drop lead to Drag-and-Breach?

Remember painter Bob Ross’ famous words, “We don’t make mistakes. We have happy accidents”? Mr. Ross, with his incredible artistic skills, could turn a blank canvas into a ‘Winter Paradise,’ smudging away a little extra white paint into another mountain peak with just a brush. He truly epitomized the resurfacing of the Joy of Painting. Well, in today’s programming world, vibe coding is garnering attention, a lot of attention, and, I would argue, redefining the world of software engineering.

Vibe coding is redefining the world of software engineering!

Vibe coding allows for the democratization of software development by shifting programming functions to non-technical users through low-code/no-code (LC/NC) platforms. It is akin to giving paintbrushes to everyone in the office to create business applications without having to write a single line of code. There is no explicit implementation or insight into garbage collection that can lead to memory leaks, no thread management that could lead to race conditions, or try-catch-finally blocks that handle exceptions in the (let’s be honest) prototype-turned-production application. To the purist programmer, I say that it is an anathema as it robs the Joy of Coding, but let’s be real: anything that saves time and thus money, increases the speed of development, and potentially minimizes the risk of human errors is likely to become a mainstream modus operandi.

And now, with the prevalence of Artificial Intelligence and the increase in agentic AI development, we are seeing Integrated Development Environments (IDEs) like VS Code morph into Cursor AI that can auto-generate code with a simple prompt. The recently released OpenAI software engineering agent, Codex, can not only code by prompting but also be integrated into the software development lifecycle pipeline, with the ability to clone repositories, draft pull requests (PRs), review code, run dependency tests, and deploy code —all in the same session.

🔪 The Double-Edged Knife of Citizen Development

However, there’s the catch: while Bob never painted a data breach, your citizen developer just might. No-code platforms are often treated like digital Lego sets. Finance teams create dashboards; HR builds onboarding portals. But beneath the bright UI lies the sharp edge: misconfigured permissions, unsecured APIs, and data exposures that evade traditional security reviews. What starts as “vibe coding,” fostering creativity without knowledge constraints, can quickly become “vibe hacking” when security is not baked in, and your drag-and-drop application may just be what hackers seek to drag and breach!

Low-Code/No-Code Shouldn’t Mean No-Security/Low-Security

📈 The Rise (and Risk) of Vibe Coding

A recent WIRED story, “Vibe coding Is Coming for Engineering Jobs,” expresses that (software) engineering, which was once a stable and lucrative tech job, is under threat as AI learned to code. One can argue that some jobs that can be automated can be repositioned in other areas, but the article’s URL reveals a bigger concern: Vibe coding is an engineering apocalypse.

While I do not like to leverage Fear, Uncertainty, and Doubt (FUD) to motivate for security, the truth remains that if security is out of sight in vibe coding, then it is likely to be out of mind. Some LC/NC vendors tout security built into their platforms, stating that security is handled for the user with zero to no coding experience. While this may be true, the company has limited to practically no insight into how security controls are built-in and what the governance is. Shouldn’t the sagacious counsel of President Reagan’s “Trust, but verify” still apply when leveraging or negotiating application-building treaties (contracts) with LC/NC platform providers?

"Trust, but Verify" the security functionality and configuration settings that LC/NC vendor tout are in their platforms and products.

With the rise of a new culture that favors speedy applications over secure ones, there is an increased risk associated with vibe coding, which I discuss in my book, The 7 Qualities of Highly Secure Software. The risk of security being bolted-on instead of being built-in. When this vibe mindset of speed over security makes its way into the development of our business-critical applications, what we consider our most valuable asset can quickly become a liability. Fast code is not necessarily safe or secure code, and letting vibes dictate architecture is like building the iconic Golden Gate Bridge based on how “aesthetic” the cables look, with no attention given to the underwater (hidden) foundation anchored into the bedrock that gives it structural integrity.

⚠️ Low Code, High Risk: If we have Velocity without Vigilance

LC/NC platforms usually offer plug-and-play integration with internal and external systems. This includes sensitive customer relationship management (CRM) systems, payment gateways, and analytics engines. Without guardrails, these connections become prime targets for attack. They introduce a new attack surface. Imagine your AI that auto-generates your internal tool, misconfigures an API, and then silently ships it to production. Who’s reviewing the pull request? Spoiler alert: nobody. And it’s not just the bots. Human users, emboldened by these tools, may overestimate what’s safe or underestimate what’s exposed. In other words, we’re not just coding faster. We may be shipping risk faster.

Fast-coded apps can become fatal apps when the vibe of speed over security is used to develop applications.

Unlike traditional development pipelines, LC/NC applications often bypass security reviews, CI/CD scanning tools, and DevSecOps altogether. These LC/NC platforms, frameworks, and agentic web-based coding tools, such as Codex, are no doubt revolutionary. It allows users to delegate tasks to an AI agent that can write, test, and even run code on a hosted sandbox environment. On the one hand, while they are incredible and game-changing for productivity, on the other hand, relying on them without an explicit focus on cybersecurity can result in a ‘Game over.’

When Velocity trumps Vigilance, your game changing application may result in a "Game Over!" for your business.

❐ The “Shadow IT” of the 2020s

And oh, there is one other thing. When I served as the CTO of an automotive franchise company, one of my key responsibilities was to reduce Shadow IT. These unsanctioned applications and tools, often purchased and deployed by non-technical users, undermined the mission to ensure scalable and secure infrastructure. LC/NC platforms are likely going to be the largest generators of Shadow IT. Today, a motivated analyst with ChatGPT and a drag-and-drop builder can whip up a customer portal, integrate it with production data, and launch it live without writing a single line of secure code or informing the CISO’s team. When IT doesn’t know what’s been deployed or who deployed it, security teams are flying blind. With AI’s pre-trained models that can construct code and build apps, Shadow IT will resurge like a Hydra’s regrown heads.

LC/NC are likely going to be the largest generators of Shadow IT. Gartner predicts 80% of user base for low-code development tools by 2026.

Gartner predicts that by 2026, developers outside formal IT departments will account for at least 80% of the user base for low-code development tools. The next time you hear, “We built this application over the weekend,” your first question should not be, “How?” It should be: “Is it secure? Imagine if 80% of your applications were never assessed for vulnerabilities or pentested. Now you’re seeing the iceberg.

🎓 A Sagacious Counsel – What seems Right may be Wrong!

Scripture counsels us that “There is a way that appears to be right, but in the end, it leads to death” (Proverbs 14:12). And while vibe coding may seem right, let it not be so that it can lead to unintended, deadly consequences for your company. Shortcuts may look innovative, efficient, or even “vibe-y” at first, but without discernment and discipline, they can derail your company’s security posture and, ultimately, your leadership position in the marketplace.

🔐 Practical Takeaways - Let’s VIBESECURE

So, what can you do to ensure that you have a sustainable competitive advantage when adopting and using vibe coding? Here are some practical takeaways from using VIBESECURE as an acrostic for easy mnemonic.

You cannot secure what you cannot see. Enable logging and monitoring for all low-code app deployments.

“Flying blind is not a strategy; it’s a crash plan.”

Manage identities rigorously, applying role-based access controls (RBAC), single sign-on (SSO), and scoped permissions for human users and AI agents alike. Tie every app to defined roles and policies. Avoid using generic or “everyone” roles. Every app must know who’s who, especially those that touch sensitive systems or data.

“Even your AI needs a job description.”

Enforce secure configuration baselines, encryption defaults, and zero-trust controls across all LC/NC platforms and autogenerated deployments. Don’t assume that the secure functionality within the platform is configured to protect by default; explicitly configure access as I had to do when granting access to trusted domains and allowing HTTP methods while setting up OpenAI’s Codex. Review the common dependencies (sites that the AI coding agent depends on). If you don’t have the need for these external dependencies, you can configure your domain allow lists to “None” and only allow your custom domains to be accessible by the software engineering agent.

“Think of it like seatbelts, which one may deem vestigial until a crash.”

Designate executive champions on the business side as liaisons and sponsors who can drive policy, allocate resources, and help normalize low-code development as a strategic priority without ignoring security. Secure AI use is a top priority for C-level executives. Empower CISOs to guide usage by the business teams, require procurement reviews, and create a culture of secure innovation, not just react to it.

“Security is not a sidebar to strategy but must be a seat at the table.”

Implement strict network and identity-based segmentation to limit blast radius, isolating low-code and AI-generated applications from core business systems. Keep low-code apps in their own network segment or container.

"Segmentation keeps intruders at bay.”

Protect citizen and developer laptops, browsers, and endpoints where low-code apps or agent-based AI are used, employing endpoint detection and response (EDR) and browser isolation. Explicitly configure Internet access from the LC/NC platform or agent and turn off access if you don’t need it. By default, OpenAI Codex was configured to share your content during development with OpenAI to train their models and improve ChatGPT. Explicitly turn that off to ensure privacy and minimize the risk of inadvertent disclosure.

“Every device is a potential doorway, and it is imperative to secure the hinges to keep intruders out.”

Even drag-and-drop apps need discipline. Treat NC/LC changes with the same care as source code deployments. Mandate rigorous change management, including version control, approvals, and rollback capabilities for every release, irrespective of whether it is AI-generated or citizen-developed, to avoid “accidental” releases of unstable, untested, and, most importantly, insecure features.

“Change must be controlled with oversight, not be based on vibes and velocity.”

Continuously educate citizen developers and prompt engineers on secure design practices, AI risk management, and recognizing common security pitfalls. Roll out awareness and training programs that go beyond the “how” to build and teach the “why” of security. Focus on common pitfalls, such as insecure data handling, privilege escalation, and excessive data exposure. Train citizen developers in secure design and common security threats, such as the OWASP ML/LLM Top 10 and the MITRE ATLAS.

“An untrained user with AI is like a toddler with a power tool. Awareness is your first line of defense!”

Create an inventory of all LC/NC apps, track their dependencies, and set up behavioral monitoring. Deploy runtime monitoring, web application firewalls (WAFs), and API gateways to detect anomalies, drift, and abuse in real time across your apps and model drifts. Disallow access of the AI agent to the Internet if internet access is not needed.

“Runtime protection is your smoke detector, silent and often overlooked until it saves the day.”

Treat every drag-and-drop connector and API call as a potential vulnerability. Vet third-party integrations for data exposure risks, enforce rate limits and scan for weak authentication practices. Vet every plugin, connector, and webhook to minimize third-party risks introduced by both human and agentic workflows. Default integrations often involve excessive privilege, skip logging, role-based access controls, or encryption.

“Trust, but verify; you’re only as strong as your weakest dependency.”

🎬 Conclusion: The Need: Vibe Coding with Vigilance, not just Velocity

Let’s be clear. Low-code/no-code and agentic tools are not the enemy. But when vibes replace vigilance and AI replaces architecture, we are entering a 'build fast, breach faster' timeframe. What we need is vibe coding with vigilance (cybersecurity vigilance) so that the benefits gained from velocity are not lost by hackable vulnerabilities.

So yes, vibe away. Just make sure someone is ensuring that guardrails are not left on the sidelines while you are painting your “happy little app” masterpiece.  I think it would do us a lot of good if we pay attention to the lesson from Jurassic Park; as wise Mr. Goldblum put it, “Yeah, yeah, your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should,” lest our companies become a dinosaur. Think VIBESECURE.

📣 Call to Action

As digital guardians and technology leaders, a few things we can do to help enable and empower the business is to be available to partner with them in the assessment and procurement of LC/NC platforms, establish usage governance and security controls via security baselines, templates, and guardrails to be seamlessly integrated into their LC/NC apps. This way, we can ensure velocity sans vulnerabilities.

What are your thoughts?

• Do you think vibe coding is better or worse for security in the long run?

• What no-code, low-code, or agentic tools are you experimenting with, and how have you secured them?

• How much do you trust your platform vendors to handle security, and where do you draw the line?

• Do you have a user education strategy in place for these tools, and if so, how are you making it effective?

• Have you faced risks from low-code platforms or AI-generated tools in your org?

• How are you securing your “citizen developers”?

I am open to your thoughts and counterpoints as well. Comment your thoughts or reach out so we can connect and explore together. I’m happy to discuss and be of assistance to help your team build applications (with or without code) that are not only speedy in development but scalable and secure as well!

Works Cited:

3D Living Studio. “How a Bridge Is Built over Deep Water | Suspension Bridge.” YouTube, 22 Mar. 2022, www.youtube.com/watch?v=_anVJoFUCtk. Accessed 13 June 2025.

Bargury, Michael. “Why so Many Security Experts Are Concerned about Low-Code/No-Code Apps.” Darkreading.com, 18 Apr. 2022, www.darkreading.com/cyber-risk/why-so-many-security-experts-are-concerned-about-low-code-no-code-apps. Accessed 13 June 2025.

Bob Ross. “Bob Ross - Winter Paradise (Season 20 Episode 9).” YouTube, 13 Aug. 2016, www.youtube.com/watch?v=DY1aBv8Z1SQ. Accessed 13 June 2025.

Gartner. “Gartner Forecasts Worldwide Low-Code Development Technologies Market to Grow 20% in 2023.” Gartner, 13 Dec. 2022, www.gartner.com/en/newsroom/press-releases/2022-12-13-gartner-forecasts-worldwide-low-code-development-technologies-market-to-grow-20-percent-in-2023. Accessed 13 June 2025.

IMDb. “Jurassic Park.” IMDb, 11 June 1993, www.imdb.com/title/tt0107290/.

Knight, Will. “OpenAI Launches an Agentic, Web-Based Coding Tool.” WIRED, 16 May 2025, www.wired.com/story/openai-launches-an-agentic-web-based-coding-tool/. Accessed 13 June 2025.

---. “Vibe Coding Is Coming for Engineering Jobs.” WIRED, 12 June 2025, www.wired.com/story/vibe-coding-engineering-apocalypse/. Accessed 13 June 2025.

Paul, Mano. The 7 Qualities of Highly Secure Software. CRC Press, 2012.

“Proverbs 14:12 NIV - - Bible Gateway.” Www.biblegateway.com, www.biblegateway.com/passage/?search=Proverbs%2014%3A12&version=NIV.

Sapkota, Ranjan, et al. “Vibe Coding vs. Agentic Coding: Fundamentals and Practical Implications of Agentic AI.” ArXiv.org, 2025, arxiv.org/abs/2505.19443. Accessed 13 June 2025.