More Dev Interrupted episodes

Your developers are the attack surface now and vibe coding as a vulnerability | Tanya Janca thumbnail

Your developers are the attack surface now and vibe coding as a vulnerability | Tanya Janca

Published 23 Jun 2026

Duration: 00:46:06

Modern software security grapples with autonomous agent-driven deployment risks, AI-generated code vulnerabilities like "vibe coding," expanded OWASP Top 10 2025 threats, supply chain weaknesses, and the urgent need for collaborative, proactive security practices, cultural shifts, and developer education over fragmented tools and outdated methodologies.

Episode Description

Developers are like water: if you make your security protocols too difficult, they will find a way to flow right around them. This week on Dev Interru...

Overview

The podcast explores emerging security challenges driven by rapid advancements in autonomous agents, AI-assisted development, and the evolving software supply chain. Key concerns include the heightened risks associated with "vibe coding"relying on AI-generated code without thorough reviewwhich can introduce vulnerabilities, such as leaked secrets, even with secure prompts. The discussion highlights the OWASP Top 10 2025, now expanded to 13 items to address modern threats like supply chain risks, CI/CD security, and "vibe coding." It critiques outdated security practices, emphasizing the need for integrated approaches like "purple security," which fosters collaboration between development and security teams, rather than treating security as a product or a checklist. The podcast also addresses gaps in incident response data and the limitations of current security tools, which are often circumvented by developers due to inefficiency and cost.

A major theme is the shift toward embedding security earlier in the development lifecycle ("shifting left"), including code generation, to prevent vulnerabilities from arising post-deployment. The software supply chain was identified as a critical vulnerability, with risks extending beyond organizational control through compromised packages, developer-targeted attacks, and third-party dependencies. Examples include supply chain breaches exploiting post-install scripts and developers access becoming a vector for attacks. The discussion stresses the importance of secure defaults, structured reviews for AI tools, and rethinking security education to prioritize defensive coding practices over rote memorization of vulnerabilities. It also underscores the underreported scale of security breaches, with publicized incidents representing only a fraction of total incidents, and calls for systemic changes in documentation, accountability, and organizational culture to address security as a shared responsibility rather than a siloed task.

Additionally, the podcast touches on the psychological and economic factors influencing developer behavior, such as resistance to restrictive security policies and perverse incentives tied to feature delivery over safety. It advocates for pragmatic, flexible frameworks that align with workflow efficiency and emphasizes the need for secure, low-friction environments to normalize best practices. The hidden cost of delayed security measures, the interconnected nature of vulnerabilities, and the growing role of behavioral economics in shaping secure defaults were also highlighted. Overall, the discussion underscores the urgency of modernizing security practices to keep pace with evolving threats while fostering collaboration, education, and systemic improvements across development and organizational cultures.

What If

  • What if you integrated secure AI prompts into your dev workflow to prevent vibe coding vulnerabilities?

    • Move: Implement a "secure code generation" check using AI tools with pre-defined, vetted prompts that enforce input validation, error handling, and secrets management.
    • Why Now?: With OWASP 2025 highlighting "vibe coding" as a critical risk and 1 in 60 developers introducing flaws via AI, immediate action is needed to mitigate human oversight in AI-assisted development.
    • Expected Upside: Reduced risk of secret leaks (e.g., hardcoded API keys) and alignment with "purple security" principles, improving code quality and reducing post-deployment remediation.
  • What if you built a supply chain security layer into your dependency management process?

    • Move: Adopt automated tools (e.g., Dependabot, Snyk) to scan dependencies for known vulnerabilities, disable untrusted post-install scripts, and enforce strict package update policies (e.g., only allow updates from packages >7 days old).
    • Why Now?: The software supply chain crisis and risks from compromised packages (e.g., NPM hijacking) are escalating, while tools like ChainGuard highlight the need for proactive defense.
    • Expected Upside: Minimize exposure to third-party risks, prevent deployment pipeline hijacking, and align with modern frameworks like APEX for AI efficiency in security.
  • What if you redefined your security defaults to prioritize "lock the front door" principles?

    • Move: Configure your development environments with out-of-the-box security controls (e.g., fail-closed error handling, encrypted secrets, CI/CD pipeline logging) and integrate these into your code generation templates.
    • Why Now?: Developers are increasingly targets for breaches, and security is a shared responsibility. Defaults like secure login flows and input validation reduce friction and align with OWASPs emphasis on foundational controls over rote memorization.
    • Expected Upside: Normalize secure practices, reduce reliance on external frameworks, and lower the cost of later remediation by catching issues at code generation.

Takeaway

  • Integrate security into code generation and review processes: Use AI-assisted tools with secure prompts, but always manually review generated code to catch vulnerabilities (e.g., leaked secrets in comments) and enforce "fail closed" practices.
  • Disable post-install scripts by default: Configure your environment to disable post-install scripts organization-wide, then selectively enable them only after verifying the trustworthiness of the package or dependency.
  • Adopt input validation as a foundational security practice: Prioritize validating all untrusted inputs (URL parameters, hidden fields) using allow lists over block lists, avoiding rote memorization of vulnerability lists like OWASP Top 10.
  • Shift security left by embedding controls early: Implement security checks during code generation (e.g., session management, identity verification) and collaborate with developers to align secure workflows with their natural patterns, reducing friction.
  • Use secure defaults for auto-updates and dependencies: Configure auto-update policies to only include packages at least seven days old, leveraging ecosystem stability over newer, potentially unstable updates (e.g., NPM package management).

Recent Episodes of Dev Interrupted

30 Jun 2026 How LinearB helps Kraken find hidden bottlenecks across thousands of engineers | Nik Sudan

Challenges in transitioning AI pilots to production include over-reliance on proof-of-concepts, misalignment with scalable systems, and cultural gaps in engineering practices, requiring disciplined strategies like throwaway code, rigorous testing, early user feedback, and systemic data-driven metrics to align AI with organizational goals through collaboration and infrastructure improvements.

16 Jun 2026 Your SDLC needs a productivity context engine

Challenges in AI adoption within engineering teams include overwhelmed staff, resource constraints, uneven productivity gains, declining code quality, rework from generated code, and rising costs, necessitating strategic focus on quality assurance, process optimization, AI-native workflows, metrics for ROI, and balancing automation with human oversight.

More Dev Interrupted episodes