Vibe coding is an emergent practice where people use AI tools and Large Language Model (LLM) Chatbots to write code. An experienced developer could accelerate their work considerably through vibe coding. A backend developer could quickly have an AI chatbot do a frontend. Or a total novice could write the next Instagram. But there are risks, and they are poorly understood. There are other ways to code along with AI. The vibe coding advantage comes when you first craft a prompt describing what you need built, then you tweak, change, or add to the chatbot’s answer and guide it towards further improvements. With vibe coding, the code is nearly exclusively generated by the chatbot or AI tool, while successive iterations can be used to quickly create complex apps and sites. Vibe coding is quickly gaining in acceptance and adoption.
Before it gains too much in popularity, we should look at the risks. Specifically, in the additive manufacturing industry, we utilize numerous disparate software tools on a daily basis. Company internal toolchains are usually fragmented and rely on several platforms. General infrastructure for things like STL upload, sharing tools, pricing tools, storage, and the like is poor, and few things are well integrated. Someone somewhere is already trying to vibe code a 3D printing toolchain for themselves or their firm. Individual workers will discover that they can utilize code tools to automate and streamline their day-to-day tasks. It could also be tempting to create a quick STL upload tool for your 3D printing service. Spend too long with emails and descriptions for your internal shared service prototyping lab at a large company? Vibe code an STL pricing and upload tool for your network. Does your company have an anniversary? Make a quick invite and RSVP tool for the party. Do you have all your customer data in Excel? Vibe code an app to make it look spiffy and accessible. Vibe code a simple site to convert all your STLs to 3MF! The possibilities are endless.
But, in vibe coding’s main advantages also lie its problems: it’s the AI tool that writes most of the code, and that you can quickly adopt it. Machine learning researcher Peter Naftaliev, who co-founded FFmpeg as a service firms RendiDev and Munch Studio, and who first used machine learning to identify people’s voices back in 2005, first brought this to my attention. He said that:
“Vibe coding has many risks, there are a lot of ways to hack an app that is not built for security or with security in mind. For example one of the hard things, if you’re not a developer and you’re doing vibe coding is in creating encryption, between your front end and back end, this takes know how. Sometimes you can press a button that says don’t encrypt, and in this case a malicious attacker can make himself look like he is your front end and connect to your back end and do all sorts of things.
“Imagine a vibe coded platform created without access management for different files. Without that and security checks in place someone could easily have access to a user´s files. Usually assets stored for a for a user would be stored under specific anonymized ID´s and asset management is added to these assets. Vibe coded platforms do not right now account for this well. And..you need to be able to track that it was done correctly.
“Vibe coding could lead to files & personal information being leaked and money stolen, passwords could easily be accessed because they’re not well encrypted. The main risk is in cyber security exposures because it is nearly impossible to notice vulnerabilities when you’re vibe coding. By design, you either don’t understand the code or you’re not taking the time to. The second biggest risk is in customer data leaks because vibe coded code does not take into account security measures to help prevent the exposure of private data. And if you’re not developing this code yourself you will miss this. Yet another issue is that changing a vibe coded code base usually requires developing it from scratch. So any feature additions or bug fixes either don’t happen or take a lot of time and resources to implement.”
We asked some security experts what they thought of the risks of vibe coding. Steve Winterfeld, Advisory Chief Information Security Officer at Akamai told us that “we are seeing increased attacks on the manufacturing industry,” and that “while speed can often be a key driver and push coding practices like vibe coding they still need to have strong cybersecurity around them based on risk to the data.”
“From the perspective of a CISO we would prefer secure coding but know we have to provide vulnerability validation and security from external attackers.”
We spoke to Aaron Rose, Office of the CTO at Check Point Software, who is a security expert as well as an avid vibe coder. He says that,
“Although I might highlight specific code that I would like rewritten, expanded upon, or corrected, the code editor, along with the AI agents it employs, actually has access to the entire directory that is open at the time – this is by design, so the AI agents can search related code & fully understand the context of the project before responding. This could lead to the unintentional exposure of source code or sensitive data. Additionally, when building a new application or improving upon an existing one, developers often need to test it with sample data. Sometimes this sample data is derived – or even a copy of – real production data, if this sensitive file is used while working with an AI-powered vibe coding application, the AI Agent may analyze this as well, meaning that the sensitive information contained has just been sent to an AI Model that you have no control over. When building applications using AI coding tools, I only quickly parse through it. I’m not a formally trained software developer – I’m not going to spot input validation mistakes or potentially misconfigured functions. I’m essentially an AI-powered script kiddy, using platforms like ChatGPT and Cursor. I could make an app that is insecure itself, but I could also unintentionally be leaking data while making the app using these tools. Another example of the risks involved with vibe coding – researchers have shown that LLM´s have hallucinated open source tools, packages & libraries that are used in code. Malicious people can register these fictitious libraries, embedding malware in the shared code, thus gaining access to systems and sensitive data. The risks for additive manufacturing are even greater – these software-related issues can become big problems in the real world, the physical world. Malware could be used to manipulate 3D printing files to introduce a microscopic alteration in an aircraft part, leading to disastrous consequences.”
What practices does Rose recommend to avoid mistakes when using AI tools?
“Start with the developers you have in-house or have worked with previously, continuously educate & reinforce secure development practices with them. Look at all of the tools that you are using and work with your IT Security Team to analyze them. Don’t use an application without first conducting an in-depth review with your security team, specifically looking at how the application handles your data and what third-party libraries or open source projects it may depend on. When using AI-powered coding assistants, analyze the code and the apps you use with these agents; in the end, you are ultimately responsible for them & any damage they may cause. Beware when using public AI models & tools for building applications, at Check Point we utilize private models that we either created or fine tuned specific to our needs, they have been reviewed thoroughly by our R&D and security teams, and are heavily secured & access restricted. Validation, integrity, secure software development, having a security mindset and bringing in your security team at the beginning of an apps development not after, are all important.”
On the whole, AI is an exciting new toy for many. It could be developed into a source of real advantage for employees, project teams, and companies. AI-powered work may eliminate a lot of simple tasks, give companies an edge, or lead to deep insight into data patterns that would be difficult to do otherwise. It is clear, however, that many people are playing with fire without realizing that it can burn. In additive, we handle patient data, prototypes that are years away from introduction, sensitive military components, nuclear parts, some of the world’s most advanced new technology, and components that could significantly impact the future of entire economies. We must be mindful of our work and use AI responsibly, with security in mind.