Vibe coded apps is free lunch

vibe-codingai

I frequently peruse r/selfhosted and since the advent of AI coded apps it went through what seems like an inflection point. Every post with AI generated/assisted/coded app gets a fair ton of negative comments on people being sick of AI slop.

I share this sentiment, with a nuance. Vibe-coded apps is somebody else spending a lot of money on tokens. It’s the money I personally don’t have to spend. I save time, too. There were poorly written applications before vibe-coding. It’s just the barrier for entry is much much lower, so the risks are higher. Reviews are now really important. AI is now heaps better at reviewing code for vulnerabilities. I vibe coded podcast-gateway. It gathers a bunch of content and exposes it via podcast links that I can put in my podcast app to listen to while going places. First few iterations were quite bad in terms of security. It created OIDC authentication mechanism, but exposed management links URLs to unauthenticated users. It kept secrets in code. And some other issuse that I don’t remember.

After a few iterations though it managed to get a solid application model in place. Key is – I had to review it and know that it’s a problem. I think AI can do it better now, though. If AI is good at writing small-scale projects, and is also decent at reviewing for poor security practices, who cares who is writing the prompts? What matters is the idea and the usability of the project. If I find the project useful and at a glace it looks decently coded – I don’t have a problem to run. Now, how you run your applications makes a big difference.

Analysing surface is still relevant:

– Are you exposing the application to the public?

– What minimum set of connectivity does it require to the internet, to other services?

– Is it allowed to write to your production database? To your storage server?

Answers to these questions will form a risk profile. Am I going to run a network analysing vibe-coded app deeply embedded in my OS? Hell no. Can I give it access to my media library in read only mode to generate some pretty stats? Easy.

You can see the differences between classes of vibe-coded apps. I think my point of view is biased by having an experience as a software developer and a devops engineer. My hobby and my work is creating fences around applications. Make sure permissions model is solid, make sure it consumes only what it’s allowed, make sure it’s given the absolute minimum required permissions to run.

Another aspect of vibe-coded apps I love is creativity. Problems non–developers could not solve for not having the skills. Solutions are now created – half–baked with a bunch of security holes – sure, but is it fun to see what others are itching to create a niche solution for!