Description Transcript
Learn how to vibe code securely in AI-generated apps, covering risks like insecure defaults, broken auth, exposed secrets, and best practices.
Our Developer Advocate Angelik Laboy Torres will walk through how to build AI-generated apps securely, avoiding common vibe coding risks like weak authentication, insecure defaults, and exposed secrets.
More resources
Try Retool for free: https://retool.com/
The top vibe coding tools for 2026: https://retool.com/blog/top-vibe-coding-tools
Read more 0:02 Welcome back everybody! My name is Angelik Laboy Torres, 0:07 I’m a developer advocate here at Retool and today we’re talking about something that is surely fun to use, feels fast and 0:14 might feeelll like it’s working with no caveats… but 0:18 could quietly be a security nightmare. Yep! We’re talking about how to 0:23 vibe code securely and how you could keep an eye out for blind spots plus how to keep experimenting 0:31 with guardrails to protect you. Let’s get started! 0:38 Why Vibe Coding is So Popular. AI, more than ever before, has made it extremely easy for anybody to 0:45 build things (and fast). You type what you want - “Build a dashboard with my leads 0:50 from the funnel table in @Salesforce” and poof, the app is there 0:56 in minutes, if not hours. It’s empowering! It means that all you need to have is domain knowledge and an idea for my non-technical folks 1:03 out there. For engineers, it means getting to play around when building prototypes, testing, 1:08 and moving through the cycle of development at light speed. 1:13 But here’s the thing: when you’re vibe coding, you’re often skipping critical steps. 1:19 And when you skip those steps in enterprise apps? 1:26 You open the door to real risk. 1:33 Risk #1: Insecure Defaults. 1:40 When developing with AI, it often takes the path of least resistance. 1:48 Let’s say you ask AI to build a form that saves data 1:54 and puts it into your database. 2:01 The AI might send raw user input directly into your database—without checking or cleaning it first. 2:07 This is what we call an injection vulnerability. It means someone could sneak in a command that deletes your entire table. 2:14 Uuufff! 2:16 So what is the solution here? 2:18 Tell your vibe coding tool of choice 2:22 to use parameterized queries. 2:24 which basically means user inputs are boxed in, 2:27 and can’t mess with your database commands. 2:31 This prevents unexpected behavior 2:33 and protects against malicious inputs. 2:37 Risk #2: Fake or Broken Authentication. 2:40 AI might give you an app that looks like it has login protection, 2:44 but doesn’t actually enforce it. 2:47 For example, sometimes it only checks 2:49 a user’s permissions in the browser 2:51 which anyone can fake using the browser’s 2:54 built-in Developer Tools. 2:56 That means users could access admin features 2:59 just by flipping a switch 3:01 in their browser console. 3:05 So what are the solutions here? 3:06 First, 3:08 Tell your vibe coding tool to use real authentication backed by secure protocols like SSO or OAuth. 3:16 Implement role-based permissions that apply across the entire app, 3:24 not just on the front end. 3:28 Make sure critical logic lives 3:31 server-side. 3:33 Risk #3: Hardcoded Secrets. 3:37 Sometimes AI drops sensitive info, like API keys or passwords, 3:42 directly into the code. 3:46 That means if you publish or share the app, 3:48 you might be exposing those secrets to anyone with access. 3:53 That would be catastrophic…. 3:55 Solution: Store secrets in a secure vault 3:58 or environment variable management system, 4:01 never in your code. 4:03 Make sure secrets are only accessible 4:08 at runtime on the backend 4:13 and are rotated regularly. 4:20 Risk #4: Shady or Made-Up Dependencies. 4:25 AI might suggest using a library or package that sounds real, 4:29 but doesn’t exist—and attackers know this. 4:35 They register those fake names so that if you install one, 4:40 you might be installing malware. 4:45 Solution: Use vetted, trusted components instead of importing random packages. 4:51 If you must add dependencies, check their source, 4:56 reputation, and maintenance history before installation. 5:02 Risk #5: No Logs, No History. 5:09 You build fast, deploy fast… then something breaks or data disappears. 5:15 But there’s no log, no version history, no idea what happened or who did it. 5:21 Solution: Implement audit logging across your app— 5:26 track changes to data, 5:30 app edits, and user actions. 5:35 Use version control for your app logic 5:38 so you can roll back changes when needed. 5:42 Risk #6: Apps That Accidentally Go Public. 5:45 You build a tool, connect live data, 5:48 share it with a teammate… 5:51 and suddenly anyone with the link can access it. 5:53 Oops. Solution: Default to private access. 6:00 Define visibility levels 6:02 for every app 6:04 and make authentication mandatory 6:07 before any data is shown. 6:12 Even internal tools should assume zero trust. 6:16 Best Practices to Keep Vibe Coding Safe. 6:20 Some general best practice no matter where you decide to vibe code: 6:23 Be specific when prompting AI: 6:25 ask for secure patterns, not just "make it work". 6:31 Always review what the AI gives you, 6:37 assume nothing is secure by default. 6:42 Use platforms that come with security guardrails baked in. 6:45 *Wink, with a zoom in* 6:50 Treat AI like a junior dev: 6:53 helpful and fast, but needs oversight. 7:00 At the end of the day, 7:04 this new dawn is very exciting as much as it is powerful. 7:07 I believe in the potential of anybody being a builder 7:08 and in helping them to feel empowered. 7:11 Experimentation is something that has long been skipped during the development cycle 7:15 due to the speed required, but no longer. 7:18 Yet without structure, it can cause some headaches inside some companies. 7:25 With these tips you can now consider the right safety measurements 7:31 to get the speed of AI plus the confidence that what you’re building is solid. 7:35 If you would like to read more about Retool’s safety and secure practice, 7:43 I will add a link below for you to read. 7:49 If you want a vibe coding platform that helps you build just as fast 7:54 while handling many of these security best practices for you, check out Retool. 7:59 In Retool, AI can layout the components of your apps, 8:06 connect them to your data and, when you're ready, deploy to production. 8:12 Make sure to visit 8:15 retool.com to get started. 8:20 Thank you and see you in the next one! 8:26 [MUSIC PLAYING]
