Webinar: The Art of Vibe Coding and Staying Secure: A Practical Guide

webinar The Art of Vibe Coding and Staying Secure A Practical Guide

In this OX Security webinar panel, Field CTO Chris Lindsey is joined by Dustin Lehr (co-founder of Katilyst) and Rob van der Veer (Chief AI Officer at Software Improvement Group) for a practical guide to vibe coding. The conversation defines what vibe coding actually is, explains why organizations are adopting it so quickly, and works through how to gain real development velocity without shipping insecure software. Along the way the panel covers maintainability and technical debt, advanced prompting techniques, AI-specific threats like package hallucination, and the rising importance of disciplined code review and developer education in a world where more and more code is machine-generated.

Key Takeaways

  • “Vibe coding” has two meanings, know which one you’re doing. Using an AI assistant to help you write code is fine; generating code you don’t understand is where the security risk lives.
  • AI is a tool, and you’re in the driver’s seat. Coding is only 15 to 20% of development work, and unguided AI won’t produce secure code, you have to direct it with real engineering knowledge.
  • Quality and maintainability are what actually drive velocity. Research links higher maintainability to smaller teams and fewer security issues; sometimes it’s cheaper to rewrite than to keep maintaining.
  • Prompt with vetted security sources, then verify the output. Feed OWASP cheat sheets and the ASVS into system prompts or retrieval-augmented generation, and ask the model “did you meet the requirements?” before trusting it.
  • Watch for AI-specific attacks. “Slop squatting” / package hallucination lets attackers register fake library names an LLM invents; apply least privilege and zero trust to anything AI-built.
  • Review and developer education are the real safeguards. Reviewing takes more skill than writing and the load falls on a few people, guard against review fatigue and “brain rot.” Developers stay accountable for AI output.

Video Transcript

Speakers

OX Security blog author avatar thumbnail displayed in the byline of supply chain and dependency-risk articles

Chris Lindsey

View on LinkedIn

Field CTO, OX Security (host/moderator)

Field CTO at OX Security and the session’s moderator, with 35 years in software development and AppSec.

DustinLehr

Dustin Lehr

View on LinkedIn

Co-founder, Katilyst

Co-founder of Katilyst, a former software engineer turned AppSec leader focused on security culture and security champions.

Rob r Rob van der Veer

Rob van der Veer

View on LinkedIn

Chief AI Officer, Software Improvement Group

Chief AI Officer at Software Improvement Group, lead author of ISO/IEC 5338 and founder of the OWASP AI Exchange.

FAQ

Two things, really. In the broad sense it’s using an AI assistant to help you write code. In the extreme sense it’s generating a working system by chatting with an LLM without understanding the code at all. The first is a productivity tool; the second is where security and quality risk concentrate.

The promise of more productivity, more autonomy, and faster prototyping, plus a dose of hype. It’s excellent for getting past writer’s block and standing up prototypes, but it’s less suited to production code without discipline, and leaders sometimes overestimate what it can replace.

Write high-quality, maintainable code from the start and pay down technical debt. With AI specifically: give it examples, work in small bite-sized pieces, ask explicitly for secure code, and still run an enterprise security tool to review the result.

Include relevant security cheat sheets in your system prompt, or use retrieval-augmented generation against vetted sources such as OWASP cheat sheets, the ASVS, and OpenCRE. Order matters, show a secure example and ask for code “like that.” Then feed the output back and ask whether it met the requirements.

Package hallucination, or “slop squatting,” where attackers pre-register fake library names that an LLM invents, so generated code points at malicious packages. Also over-broad permissions: give AI-built apps least-privilege, read-only access and treat them with zero trust.

Use AI for prototypes and for subtasks where it excels; rely on humans for domain knowledge, complex systems, and review. Keep developers actively coding so their skills stay sharp, AI will get lost, and you need people who can still review and fix the code.

The developer is, “you chose to use AI instead of doing the work yourself.” Invest in education, set a quality bar with metrics, and take review seriously to avoid review fatigue and brain rot. Enterprise security tooling at the end doubles as a training loop back to the developer.