Thoughtworks says vibe-coded apps need security rules
This article lays out a security framework for AI-assisted app building after Thoughtworks encountered two near-miss incidents while scaling a vibe-coded marketing prototype. The core argument is that prompts alone are not enforceable security controls, so teams need versioned security context files, deterministic checks, permission review habits, and ongoing security intelligence feeds to keep AI-generated code, infrastructure, and permissions safe enough for production.
Hot take: this is less a story about “vibe coding” than a warning that enterprise AI adoption is already colliding with classic security failure modes, and prompt engineering is the weakest possible control surface.
- –The strongest point is operational: security guidance has to live in the workflow, not in a one-off instruction to the model.
- –The article is persuasive because it pairs abstract advice with concrete near-misses like public storage access and over-broad service account permissions.
- –The proposed “security context file” is practical, but its real value depends on enforcement from scanners, policy gates, and review discipline.
- –This is most relevant for teams shipping internal AI tools quickly, especially where non-engineers are now building with copilots and agentic assistants.
- –The framing is a good reminder that “secure-by-default” templates will matter more than clever prompts as AI-generated code volume grows.
DISCOVERED
46d ago
2026-05-28
PUBLISHED
46d ago
2026-05-27
RELEVANCE
AUTHOR
HieronymusBosch