AI Security · · 5 min read

You Vibe Coded It. Now Secure It.

vibe coding AI security startup security application audit

Vibe coding is the practice of building software by describing features to AI tools in natural language. Non-technical founders are shipping production SaaS apps in days using Cursor, Bolt, Lovable and Replit Agent. These applications work but consistently contain broken authentication, missing authorization, SQL injection, exposed API keys and security misconfigurations that automated scanners do not fully detect.

A Weekend to Build. Minutes to Breach.

Something unprecedented is happening in software. People who have never written a line of code are shipping production SaaS applications. They are collecting payments, storing user data and processing sensitive information. The apps work. They look professional. Users sign up. Revenue comes in.

The code behind these apps is written entirely by AI. The founder describes what they want. Cursor, Bolt, Lovable, Replit Agent or Claude Code generates the application. The founder deploys it. This workflow has a name now: vibe coding.

We have audited dozens of vibe coded applications at Sherlock Forensics. Every single one had critical security vulnerabilities. Not warnings. Not best-practice suggestions. Exploitable vulnerabilities that would give an attacker access to user data, payment information or full administrative control.

What Vibe Coded Apps Get Wrong

AI coding tools are trained to make features work. Security is a constraint that competes with functionality, and when the person guiding the AI does not know to ask for security, the AI does not volunteer it.

Authentication exists but is incomplete
The login page works. Users can sign up and sign in. But the session management is broken. Tokens do not expire. Password reset links remain valid forever. There is no rate limiting on login attempts. The AI built what was asked for (a login flow) but not what was needed (a secure authentication system).
Authorization is missing entirely
This is the most dangerous pattern. The app checks whether a user is logged in but never checks whether that user should access the requested resource. Change an ID in the URL and you see another user's data. Change it again and you see the admin dashboard. The AI never added authorization checks because the founder never asked for them.
API keys live in client-side code
Stripe keys, OpenAI keys, Supabase keys, database connection strings. The AI puts them wherever is fastest to make the feature work. In vibe coded apps that is usually a JavaScript file that ships to every browser. Open developer tools, search for "key" and you find them all.
Database queries use string concatenation
Every vibe coded app we have tested that uses a relational database has at least one SQL injection vulnerability. The AI generates queries that work with expected input and break catastrophically with a single quote character.
Error messages expose internals
Stack traces, database schemas, file paths and server configurations leak through error responses. The AI leaves debug mode enabled because it makes development easier. No one turns it off before deployment because no one knows it is on.

Why Scanning Is Not Enough

The natural response is "just run a scanner." We tested this. We ran industry-standard SAST and DAST tools against vibe coded applications with known critical vulnerabilities. The scanners caught some issues. They missed the worst ones.

Scanners miss business logic flaws. They do not understand that User A should not see User B's invoices. They do not know that the admin panel should require a different role than the user dashboard. They cannot detect that the payment flow skips verification on specific code paths that the AI generated for edge cases.

Scanner Detection vs. Manual Audit Findings
Vulnerability Type Scanner Detection Manual Audit Detection
SQL injection (basic) Detected Detected
Broken access control Missed Detected
Client-side API keys Partial Detected
Business logic bypass Missed Detected
Insecure direct object reference Missed Detected
Missing rate limiting Missed Detected

The vulnerabilities that scanners miss are the ones attackers exploit. Broken access control has been the number one risk on the OWASP Top 10 since 2021. It requires human analysis to detect because it depends on understanding the application's intended authorization model.

The Non-Technical Founder Problem

Traditional security advice assumes the builder understands code. "Use parameterized queries." "Implement RBAC." "Rotate your secrets." These instructions mean nothing to someone who built their entire application by describing features in English.

This is not the founder's fault. The tooling is marketed as a complete solution. "Build your app without coding." The marketing does not mention that security is not included. The founder has no way to know what they do not know.

That gap between "it works" and "it is secure" is exactly where we operate. Our vibe coding audit reports are written for non-technical founders. Each finding includes a plain-language explanation of the risk, its business impact and remediation instructions that can be pasted directly into the AI coding tool to fix.

What to Do Before You Get Hacked

If you vibe coded your app, you need a security audit before you take on users, process payments or store sensitive data. Not after. Before.

Start with our free security checklist to assess your baseline. Then scope a vibe coding security audit starting at $1,500. We find the vulnerabilities, explain them in language you understand and give you the exact instructions to fix them.

The AI built your app. Let a human secure it.