~/VibeHandbook
$39
Read the BookReferencePhilosophyGet the PDFFAQ

Chapter 18 · 07

The security review gate

Here's the one habit that turns all of the above from a worry into a process: before you ship, make the AI attack its own code. The model that wrote the feature can usually find the holes in it — it just won't unless you ask. Flip it from builder to adversary:

You wrote this endpoint. Now act as an attacker trying to break it.
List every way a malicious user could:
  - read or modify data they shouldn't (authorization holes)
  - inject code via input (SQL injection, XSS, command injection)
  - abuse missing validation or rate limits
For each, show the exact request that exploits it, then the fix.
Don't reassure me — assume there IS a vulnerability and find it.

That last line matters: left neutral, the AI tends to say "looks secure!" Told to assume a flaw exists, it actually goes looking. Pair the adversarial pass with a short pre-ship checklist you run on anything user-facing:

  • Every checks authorization, not just that the user is logged in
  • All queries are parameterized — no string-built
  • User input rendered to the page is escaped (no raw HTML injection)
  • No secrets in client code, and none committed to the repo
  • .env is gitignored; any leaked key has been rotated
  • File uploads validate type and size and use generated names
  • New dependencies were eyeballed for real existence and reputation

Picture the gate as a sequence nothing ships without passing. The AI switches hats from builder to attacker, then the automated scans backstop what a human pass might miss:

  feature code
       │
       ▼
 ┌──────────────────┐   "assume there IS a bug, find it"
 │ ADVERSARIAL PASS │   authz holes · injection · validation
 │ (AI as attacker) │
 └────────┬─────────┘
          │ issues found? ── yes ──▶ fix ──┐
          │ no                             │
          ▼                                │
 ┌──────────────────┐ ◀─────────────────── ┘
 │ AUTOMATED GATES  │   secret scan (gitleaks) · npm audit
 │ (CI, every push) │   parameterized? · secrets out of client?
 └────────┬─────────┘
          │ all green
          ▼
        SHIP ✓     ── anything red blocks the push ──

And run a scanner before you push — a tool like gitleaks (or your platform's built-in scanning) greps your code and history for things shaped like keys. It's a one-command safety net for the most expensive mistake on the list, and you can have the AI wire it into (Continuous Integration — the robot that automatically runs your checks every time you push code) so it runs on every push.

Want it offline?

Get the PDF + EPUB + downloadable prompt library + version updates.

$ Get the PDF — $39