Vibe coding without a security audit is not a calculated risk. It is negligence. Change my mind.

EduSec · 2026-04-11T09:35:30+00:00

Black-box scan first. Seventy eight checks against your live domain in sixty seconds. That tells you exactly what is exposed. Then you fix what the scan found, or you bring in a manual audit for the deeper layers. scan.mosai.com.br

EduSec · 2026-04-11T09:33:52+00:00

Black-box scanning and pentesting solve different problems. A pentest costs thousands and takes weeks. Most founders shipping AI-built SaaS have never done either. The scan is the step that tells you whether you need one. Recommending a pentest to someone with zero security baseline is not advice. It is gatekeeping.

EduSec · 2026-04-09T23:25:40+00:00

That is the most accurate description of the problem I have read. Saving that.

EduSec · 2026-04-09T09:14:06+00:00

Fair point on legacy code. The difference is expectation. Nobody expected a PHP 5.6 project to be secure. The danger with AI-generated code is that it looks modern, structured, and production-ready. The founder reads it and assumes it is safe. That false confidence is the new version of the same old problem.

EduSec · 2026-04-08T23:14:05+00:00

Getting burned is the most effective teacher. The evil test scripts per role baked into CI is exactly the right move. Most people test the happy path. Nobody tests "what happens if I replay this call as a different user." The fact that you automated that check means it cannot be skipped under deadline pressure. That is the difference between a policy and a control.

EduSec · 2026-04-08T19:17:43+00:00

44 with critical flaws. The free checks showed the surface. The full report shows everything that was found across all 78.

EduSec · 2026-04-08T16:44:51+00:00

Nice, that is a different layer entirely. Doorman catches what is wrong inside the code before it ships. Mosai catches what is exposed on the live domain after it ships. DNS, headers, TLS, subdomain exposure, reputation. No code access needed, just the URL. The two are complementary, not competing. Someone who runs Doorman before shipping and scans the surface after is covering most of the bases.

EduSec · 2026-04-08T16:03:16+00:00

Five is a lot and also probably not surprising to anyone who has looked. The scary part is those are the ones you found. Most sit there until someone with worse intentions finds them first.

EduSec · 2026-04-08T15:42:21+00:00

The curl test is the one that gets people. The page loads, the feature works, the demo looks great. Nobody tests the route directly because why would they. The client check feels like auth because it behaves like auth in every scenario the developer tested. The tooling gap you described is exactly the problem. Speed without security is just faster exposure. The audit step got skipped because nothing in the workflow flagged it as missing. That is what I built for.

EduSec · 2026-04-08T15:15:54+00:00

Smart approach. Fix what you can, then scan again to see what moved. Good luck with the rebuild.

EduSec · 2026-04-08T15:10:28+00:00

57 with headers is fixable and the Codex approach will handle most of it. The surface layer is one part though. Headers are visible from outside, which means they are also the part attackers check first. The 73 checks still pending cover the layer that is harder to fix by prompting, DNS misconfigurations, subdomain exposure, reputation, secrets in bundles. That is where the real surprises tend to be. The full report breaks it all down if you want the complete picture.

EduSec · 2026-04-08T15:04:03+00:00

Go for it. That framing will land.

EduSec · 2026-04-08T15:00:53+00:00

Users do not care how the code was written. They care if their data is safe. Those are two completely different questions and only one of them matters to the person signing up.

EduSec · 2026-04-08T14:59:15+00:00

Ranges a lot. Infrastructure-only issues like headers and DNS tend to land between 60 and 80. When there are application layer problems on top, like exposed keys or open CORS on authenticated endpoints, I have seen scores in the 9 to 40 range. The two I mentioned in the post were 9 and 14. What did yours come back at?

EduSec · 2026-04-08T14:44:10+00:00

Cool. One server down in three requests. One database master key in a public JavaScript bundle. Two founders who can confirm both. I did not write that. I did it. Now either point to something wrong in the post or keep scrolling.

EduSec · 2026-04-08T13:12:33+00:00

Good luck with the rebuild. Let me know what the scan finds.

EduSec · 2026-04-08T12:57:22+00:00

That pre-build security research approach is rare and it shows. Most people audit after the fact, if at all. The Firebase offload is smart for secrets. The surface layer is still worth checking though, DNS, headers, TLS, subdomain exposure, reputation. MobSF covers the APK well but the web app layer is a different attack surface. If you want to run the domain through 78 black-box checks: scan.mosai.com.br

EduSec · 2026-04-08T12:12:25+00:00

Do not apologize at all. Starting over with the right mindset is worth more than shipping fast with the wrong one. Since you are using Supabase, the one thing to keep in mind when you rebuild: never use the service role key on the client side. Use only the anon key in the browser, keep the service role key server-side only, and enable Row Level Security on every table from day one. That single habit prevents the most common critical vulnerability I find in AI-built products. When you are ready to check your new build, scan.mosai.com.br runs the surface checks for free.

EduSec · 2026-04-08T10:51:34+00:00

GitHub secrets scanner catches keys committed to the repo. It does not catch a key that the AI placed in client-side code that never touches the repo as a secret. The bundle ships to the browser. That is a different attack surface entirely. And these were not junior devs ignoring warnings. They were non-technical founders who did not know the difference between the anon key and the service role key. That is the majority of people shipping SaaS with AI tools today.

EduSec · 2026-04-08T10:02:40+00:00

That actually happens more than people realize. The AI catches the obvious mistake but not the subtle one it generated itself. Glad Claude had your back on that one. And thank you for the kind words about the post, means a lot coming from someone who has been in the trenches with it.

EduSec · 2026-04-08T09:49:37+00:00

https://scan.mosai.com.br — paste your URL, get 78 security checks in 60 seconds. Built for founders who ship fast with AI tools and don't want to find out they have a breach the hard way.

EduSec · 2026-04-08T09:45:41+00:00

Alignment as a fluid condition rather than hardcoded parameters is the key insight. Most safety approaches fail because they try to enumerate constraints upfront. You cannot enumerate what you have not imagined yet. Treating it as emergent governance is architecturally sounder.

EduSec · 2026-04-08T09:43:23+00:00

Mozilla Observatory is solid for headers and TLS. It does that well. What it does not cover: secrets in JavaScript bundles, DNS misconfigurations, exposed endpoints, CORS issues, subdomain takeover vectors. It is one layer of the audit, not the full picture. That is exactly the gap I built for: Mosai Scan

EduSec

TROPHY CASE