5 hours ago
2
ARTICLE AD BOX
Vibe coding is coming to the enterprise. Whether the vibes will remain good vibes is another question entirely. (Image: Shutterstock)
Digital preservation can be a long and complicated business. The act of converting a dusty, old tome into a digital file necessitates the archivist transposing the inken script into pixels using an optical character recognition (OCR) program. If the scans fed into the software are of a sufficiently high quality, that should be the end of it. But a blurred or tilted image of the document can result in a disjointed, garbled output, necessitating hours of more work correcting each sentence one by one.
That’s where vibe coding can come to the rescue. The act of addressing an AI model using natural language to create an app or an aspect of software out of whole cloth, enterprising archivists could vibe code an app where unreliable OCR text can be dumped, sorted and rationalised automatically – all without knowing a lick of Python, Java or COBOL.
At least, that’s the idea. So named by OpenAI co-founder Andrej Karpathy, vibe coding is also a philosophy, smashing apart the idea that app creators, by definition, actually know how to write code. Using the next evolution of AI-assisted coding tools, such as Cursor, Windsurf, Replit, along with AI chatbots like Claude, requires novices to simply describe the type of app, website or application they want, and pfft, the LLM will create it. This is why “the hottest new programming language,” Karpathy said in a tweet viewed 7.4m times, “is English.”
In this way, vibe coding is very different to other AI coding tools such as GitHub Copilot, which intuitively suggests code completion, and from low-code or no-code, which use visual interfaces to support users in dragging and dropping different applications and functionality built by professionals and designed to work together. As Neal Riley, co-founder and general manager at Salable explains, with vibe coding, the LLM is squarely responsible for answering the question of “how” to solve a specific task in the development process, as opposed to taking an action that the coder has thought through first.
“Vibe coding is an ‘agentic’ style of coding,” says Riley. “It moves away from a ‘chat-like’ experience, where a user guides a single action, the LLM executes, and returns to the user asking for the next step. Agentic systems can break down a query from a user into a set of actions, taking each in turn without user intervention.”
While vibe coding is said to ‘democratise’ coding, collapsing the barriers for non-professionals, it’s also genuinely game-changing for software developers, argues Katie Paxton-Fear, a principal security research engineer at Harness.
“Vibe coding redefines the software development process due to the speed [at] which software can be developed,” says Paxton-Fear, essentially offloading the boring, repetitive parts of coding to the LLM. “On the enterprise level, that’s where AI-generated code will take over.”
Getting those good vibes
Advocates for vibe coding argue that it has great potential for those who really understand the problems of a specific department or process but can’t code responsive software solutions. “In the enterprise, this approach can lead to significant innovations,” says Paxton-Fear.
For many designers, this is a boon; they can now try many things quickly, rather than having to hand their ideas off to software engineers to create prototypes, one by one. For CTOs, however, it can be a headache. Though vibe coding democratises software development, the kind of code spat out by its associated AI models can be riddled with mistakes. Infamously, it’s resulted in vibe-coded applications that their creators have publicly lauded but prove disturbingly open to being breached – as in the case of 170 out of 1,645 apps created by amateur developers on Lovable. It’s because of this tendency that Aikido Security developer and security advocate Mackenzie Jackson refers to vibe coding as ‘vulnerability-as-a-service.’
“Without understanding the code, you don’t know what you don’t know, and debugging is notoriously hard,” he explains. Because the LLM is making thousands of assumptions off a small prompt, it’s prone to logic vulnerabilities which present security risks.
“An example is when a user can see admin pages purely because the tool didn’t understand that wasn’t the intention,” says Jackson. “AI doesn’t write secure code by default – it’s prone to common vulnerabilities like SQL injection, cross-site scripting (XSS), and path traversal attacks.”
For its part, Tricentis uses Cursor and VS Code Agent to build applications for internal and external use cases, says its VP for AI and machine learning, David Colwell. But even with guardrails in place, vibe-coded applications can go off the rails rather quickly (the term, says Colwell, is “rather unfortunate…given how difficult it actually is.”) He warns that AI coding platforms can do things like break or edit unrelated code in other files and install outdated packages, all of which an untrained eye could miss.
Colwell’s team gets around this by providing their AI agent with a detailed plan, containing the kinds of technology definitions and references to packages that would probably elude the amateur dabbler of Karpathy’s imagination. The agent is then asked to respond with its own plan, showing that it understands its instructions which, in turn, are reviewed and then only partially executed. Colwell insists that it’s important to keep anything the model executives confined to an easy-to-review amount as, “if you can’t review it, you don’t own it…and if you don’t own it, then it shouldn’t go in production.”
The process might feel laborious, he continues, but it saves time in the long run on developers jumping into the code to correct the AI’s mistakes. Ultimately, this approach gives the LLM guardrails, concrete documentation on what it should do and with tests forms a real-time feedback loop that allows it to verify that it has done what it said it would do. “Many of the errors that occur in vibe coding happen because it’s given a very broad definition of what you want it to do,” says Colwell. “Then it does silly things.”
Vibe coding is, on the face of it, a smart framework for democratising software development. It can also unleash glitches, vulnerabilities and other havoc-inducing flaws into the stack. (Image: Shutterstock)Good vibes gone wrong
But how far away are we from enterprises widely embracing the vibe coding philosophy? Over 1,000 companies are working with the vibe coding platform Windsurf, its spokesperson Payal Patel claims, with 40-60% of all committed code generated by the platform. “I wouldn’t say enterprises are vibe coding in the way the term is usually used,” says Patel. Even so, the engineering teams tinkering with it “are starting to feel the same confidence and flow” they would under normal coding conditions.
Would they feel so good if they knew the lengths other enterprise IT teams have gone to secure that code? Perhaps not, but for some practitioners, concentrating on these pitfalls is just, well, bad vibes. For his part, Colwell says that as far as security is concerned, even expert developers should always be viewed as untrusted entities. “You assume the developer will make mistakes and add security vulnerabilities into the code,” he says. “That’s why you build your security practice as a defence in depth.”
Even so, says Paxton-Fear, CTOs should also be mindful of additional risks around regulation and bias in vibe-coded applications. If an AI tool is built based on ChatGPT, for example, there will be processing on the LLM that the developer might not understand or even know about. “Now you’ve got this new third party that hasn’t been onboarded correctly potentially receiving sensitive data,” cautions Paxton-Fear.
Clearly, with vibe coding there’s much to be wary of. But Paxton-Fear warns that it would be a mistake for an organisation to lurch to the conclusion that AI-generated applications are insecure, dangerous and worthy of blanket internal bans. Rather, she says, IT decision-makers should carefully weigh the pros and cons of adoption within the overall context of the truly massive potential gains that could be accrued from such an innovative approach to application development.
In large part, Colwell agrees. While vibe coding isn’t “the one-person, $5bn startup that can do everything with two guys,” the speed afforded to software development by vibe coding has untold potential for businesses. “If you’re an enterprise and you’re not using some form of agentic coding,” says Colwell, “then you won’t be a competitive enterprise for long.”
