This week at the RSA Conference, the UK’s National Cyber Security Centre (NCSC) CEO Richard Horne called on the cybersecurity community to develop safeguards around “vibe coding” as adoption of AI-assisted development tools continues to grow and presents both opportunities and risks.
Horne stated that while AI-generated code could help reduce vulnerabilities if implemented securely, it also has the potential to introduce or propagate weaknesses if not properly designed and reviewed. The NCSC emphasized that AI development tools must be secure by design and trained to avoid generating insecure code, as part of a broader effort to improve software security outcomes.
The agency also noted that the rapid growth of AI-assisted development is expected to drive wider adoption of “vibe coding,” making it critical for security professionals to establish controls and best practices early. The NCSC said the industry has both the opportunity and responsibility to ensure that AI-driven software development results in more secure systems over time.
“To combat this “multi-dimensional” threat, our collective approach to defending our societies must match that, likening cyber defense to a full court press in basketball, where “collective pressure from all actions together” can have greatest impact,” Horne said.
Rajeev Raghunarayan, Head of GTM, Averlon had this to say:
“Richard Horne is right to flag vibe coding as a security concern. The deeper risk is what it does to the underlying environment. More AI-generated code means more updates, more dependencies, and faster change across systems that security teams are still struggling to keep pace with.
“The challenge isn’t just whether AI generates insecure code. Environments no longer stay stable long enough to evaluate risk the way teams operated traditionally through point-in-time scans, static prioritization, and backlog-driven remediation. Security must move at the same pace as the introduced changes, meaning it must evaluate and address risk as it happens, not weeks or months later.”
Ryan McCurdy, VP of Marketing, Liquibase adds this comment:
“AI compresses the time between idea and production, raising the stakes for change control. When database changes reach production without policy enforcement, approvals, drift detection, and auditability, companies multiply risk with every release. The consequences show up in outages, compliance exposure, slower incident response, and inconsistent data that weakens execution across the business.
“Leaders who govern change well can scale AI with more control, protect business-critical operations, and accelerate transformation without increasing operational risk.”
Michael Bell, Founder & CEO, Suzu Labs follows with this comment:
“The NCSC’s Richard Horne is right that the cybersecurity community needs to get ahead of vibe coding rather than fight adoption. The commandments his team published at RSA this week are all individually correct. Secure model defaults. AI code reviews. Deterministic guardrails. Secure hosting. But treating them as a checklist misses how security actually works. No single control catches everything.
“Vibe coding security needs to be defense in depth. Security checks at the model layer, at pre-commit, at the build pipeline, at deployment, and at runtime. Each layer catches what the previous one missed. We’ve already seen what happens when security depends on one check. When researchers examined vibe-coded applications, 10% of apps on one platform had the exact same security misconfiguration, and broader research shows only 10.5% of AI-generated code is secure even when 61% is functionally correct.
“The NCSC’s CTO imagined a future where AI code ends up more locked down than any SaaS product ever was. That’s achievable. But only if we build layered security infrastructure to match the speed of AI-assisted development. One check at one stage is a half-court trap. The adversary gets around it. Defense in depth is the full court press.”
There a dangers in terms of using AI to write code. Organizations need to be aware of that and take the right mitigations before something really bad happens. And I do mean really bad.
A Perspective On Russia linked threat actors targeting Signal, WhatsApp and Telegram From Detectify
Posted in Commentary with tags Detectify on March 27, 2026 by itnerdFollowing up on the recent news of Russia linked threat actors targeting Signal, WhatsApp and Telegram Fredrik Almroth, co-founder and Security Researcher at appsec security firm Detectify serves up some perspective on how messaging apps and personal devices are becoming an increasingly important part of the real attack surface.
“The broader lesson is that organizations should stop treating secure messaging as a silver bullet. Strong encryption matters, but it does not protect you if the endpoint is compromised or the account itself is hijacked. What makes this trend so concerning is that it blurs the line between consumer technology and resilience infrastructure. Messaging apps, smartphones, and linked devices are now woven into how governments, companies, and critical sectors actually function – often adopted at a velocity that traditional security struggles to match.
Modern defense is no longer just about protecting official systems, but about protecting the communications reality people actually operate in. The attack point is often not the ‘secure bunker,’ but the phone in someone’s pocket. From an attacker’s perspective, these channels are attractive precisely because they are trusted, ubiquitous, and often far less visible to defenders than formal enterprise systems. If hostile actors can reach decision-makers, staff, or even suppliers through trusted channels, they can bypass a surprising amount of traditional security.
Often, they do not need to break encryption at all. They just need to compromise the device, hijack the account, abuse a linked-device workflow, or trick the user at the right moment. This is why the communications layer around sensitive institutions is now part of the real attack surface.
In practice, that means paying far more attention to mobile-device hygiene for executives and other high-risk personnel. You don’t just need to secure the network, but also improve the communications habits around your it. Smart attackers will always go for the points of least resistance.You can spend millions hardening formal systems, but if your most sensitive conversations are happening on poorly governed devices and trusted consumer apps, that’s where they’ll go.”
Leave a comment »