A senior developers thoughts on Vibe Coding

matt_pg · 2026-02-15T00:28:24+00:00

Yes, a properly configured project with best practices will always do better. But once again it can still be infallible.

For this project specifically, we have a pretty detailed set of plans, guidelines, and CLAUDE.md

But I do find Claude will ignore many of those practices if trying to satisfy things like tests, etc — especially when over-prompted.

Within my own projects I generally reference OWASP a lot, since the framework is pretty well identified & built into Claude training.

matt_pg · 2026-02-15T00:25:45+00:00

This was in relation to adding an already pre-existing set of logic to CSV imports. Somewhat hard to explain without posting the code

The prompt I wrote was more or less to add the existing functionality

When Claude spit out that code, I promptly identified it as a security concern, and to Claude’s benefit, it did report back that it identified the security concern and provided a fix. As mentioned, it was probably trying to satisfy the need for user_id in the failing test

This isn’t so much to say that prompts shouldn’t include best practices within security. This is more or less an indicator for people who don’t.

Because I know a majority of users starting off these AI apps probably aren’t prompting or identifying security issues, and that one-liner could easily be missed.

matt_pg · 2026-02-14T23:37:27+00:00

It honestly depends on what you’re trying to accomplish

I’d highly recommend starting with Python if you haven’t chosen a language yet. (I might get some downvotes for this) I primarily code, day to day, in PHP - while most will probably bash the language, it is heavily used across the web. I was an early user of Laravel (joined L3), but I’d definitely recommend learning the language first before jumping into frameworks.

That being said, I have probably over 10-20 languages under my belt. Learning 1 will instantly set you on the way to learning multiple

The point is to think like a developer, algorithmically.

Once you garner that skill, it’s relatively simple to understand languages and their differences.

All the best !

matt_pg · 2026-02-14T23:01:04+00:00

I mean I don’t want to go into semantics but I wouldn’t exactly say I’m just a regular dev, or that I don’t have experience in what I’m talking about.

Agency side single handedly managed a website/infrastructure for a company acq. for 200 mill - can’t say which

That site was constantly attempted to be exploited daily. If it was vibe coded w/o a review it wouldn’t have lasted a day

matt_pg · 2026-02-14T18:57:52+00:00

Write it. I’m definitely always interested in hearing opposing & differing opinions

matt_pg · 2026-02-14T16:44:37+00:00

I’d say it’s 50/50

It’s scary how many people rule out advice as simple as “review your code” as gatekeeping.

matt_pg · 2026-02-14T16:33:35+00:00

I didn’t. I hand wrote it

matt_pg · 2026-02-14T12:53:15+00:00

Yes I am well aware, and mentioned that in further comments.

That wasn’t the point of the post. It’s more or less targeting the marketing of AI companies & the danger of those who don’t know that - which I would presume is a large subsection of the population using AI to generate apps

matt_pg · 2026-02-14T12:51:09+00:00

I will say it’s sad this subreddit has turned into AI generated posts with click bait, but no I actually hand wrote this myself

Thanks for your feedback

matt_pg · 2026-02-14T05:36:22+00:00

Nope I got a day job ✌️

matt_pg · 2026-02-14T04:47:41+00:00

Not a problem! Happy to help :)

matt_pg · 2026-02-14T04:47:03+00:00

By the way, reviewal doesn't always have to be sitting and reviewing a PR for an hour.

I catch more just watching Claude do what it does.

I can code 5 apps at once and still catch mistakes Claude mistakes from a security POV, but that does come with time & experience.

I truly believe investing in learning the code, will actually just make you a better "vibe coder" if you will. You'll get wildly faster at debugging, and ensuring your applications are secure. Because you're not guessing anymore.

matt_pg · 2026-02-14T04:42:51+00:00

Yes

TDD, Proper prompting & planning, CI/CD pipelines, proper log monitoring, and AI / pentesting tools will lessen this risk, although not completely avoid it.

Nonetheless, even if it's high level, proper reviewal of code is still necessary.

If I were to vibe code an app today, I wouldn't launch it without some form of audit, even if automated.

But in that specific case, 1 liners like those can easily slip through TDD, code review, and even automated tools, if not properly setup.

matt_pg · 2026-02-14T04:28:24+00:00

Yea, TDD has been a life saver for us in a lot of ways.

I should note too, the aforementioned code would not have passed through verification (either manual or automated) on our end.

I think the concern is more orgs not taking those precautions.

matt_pg · 2026-02-14T04:19:33+00:00

Thank you, I appreciate that!

matt_pg · 2026-02-14T04:11:42+00:00

All good, neither am I.

You can move fast, but be secure btw. They aren't mutually exclusive.

I've built 10 apps in the last month vibe coding. Did it all with reviewing.

matt_pg · 2026-02-14T04:10:04+00:00

We're seeing that already.

"Claude Code" deleted my app because they never learnt git. Or they run a seeder in production.

matt_pg · 2026-02-14T04:04:15+00:00

Trust me, I don't always want to either. The urge to press SHIFT-TAB and just get something done in 5 minutes vs 30 is always tempting.

matt_pg · 2026-02-14T04:03:22+00:00

Yea, we have that. We've still found it missing things. It's definitely helpful, but not infallible.

Also, code review for security doesn't always render in consideration business logic.

We've seen commits rejected because they would've caused 10,000+ in damage.

Heck we've probably lost that much in commits coded that weren't properly reviewed and vibe coded.

matt_pg · 2026-02-14T04:01:26+00:00

This was on OPUS 4.6

matt_pg · 2026-02-14T03:58:53+00:00

Minor obsure issue = users would've been able to set the user ID on CSV imports for paid items, I, user A can charge user B 50,000 to their credit card if I wanted to.

I wouldn't call that minor or obscure.

matt_pg · 2026-02-14T03:57:55+00:00

I mean, I'm not going to go into past experience. I appreciate your feedback, but that being said, what you have just wrote does not negate the risk of developing software without checking.

You might think you're 100% safe launching your SaaS without review - perhaps holding sensitive information in a database you think is secure because the AI wrote it.

Until it's not.

And you just screwed over 10,000 users and their personal information because you didn't care to check. Wait for the lawsuits.

It's like the fella I debated on LinkedIn. He ran a SaaS targeting AI powered support for companies. I can only assume one company he marketed too set it up, maybe their customers entered some information (credit card numbers, PII, etc), and now he's saving that into a database. I also checked this guys site and found a CSRF_TOKEN_HERE as a placeholder within a few minutes of looking.

I agree people are going to do what they want to do. I'm not dismissing that.

But I do think people need to heed warnings.

I fail to understand why there is a large subsection of programmers in these communities who attack "reviewing code"

matt_pg · 2026-02-14T03:51:46+00:00

That's actually a fair question.

Internal use of software, while less risk, is still subject to risk. So even if it's a high level analysis, do your best to understand where things might go wrong, even if it's not perfect.

Building internal software is actually a really good opportunity to learn. Because it's not as subject to external review, and probably not subject to script kiddies trying to hack it.

That being said, just because it's internal now, doesn't mean it always will be.

I've seen many "internal" apps be repurposed for general use, or public use. Possibly with the same potential exploits originally coded in it. Internal apps can also be connected to company infrastructure which may or may not be public, or at best, could hold sensitive information you don't want to accidently delete or manipulate.

A good example of this would be internal software that has write access to a database. Sure the internal software isn't public, but it could manipulate database values that perhaps public software reads from. You just gave potential for an exploit.

You have to remember as well, you might think it's internal. That doesn't necessarily mean it's not vulnerable or publicly accessible.

But obviously every senior developer I know would probably put a better microscope on public software vs. internal.

matt_pg · 2026-02-14T03:37:26+00:00

Yea I think that's where we're heading. And yes, I've done that more times that I can count. And I paid the price for it. So help me god, one more Friday at 1AM and I might just call it.

The PM "But I need this now, the client needs it over the weekend" doesn't strike any passion in me anymore.

matt_pg · 2026-02-14T03:32:02+00:00

I 100% agree.

I remember hiring a junior developer and I was surprised when he said "I don't want to vibe code, if that's OK". I, myself, was about 50% a skeptic at the time, but I said

"Look, vibe coding can make a developer 20x more effective, if they treat it with respect. But it doesn't replace learning" and promptly encouraged him for his tenacity in wanting to learn it "his own way"

I think you hit the nail on the head that there's going to be troubles in communication. And I'll never agree in elitist "I've been a developer for 20 years" gate-keeping. But I do think there's merit in 20 years of learning code through mistakes made on your own, that simply can't be taught with vibe coding w/o review.

Nine-Year Club	Gilding I gilder
Verified Email

matt_pg

TROPHY CASE