Vibe coding sounds fast and effortless—but what happens when AI-generated code bypasses security checks and leaves teams with invisible risk? In this episode, Sean Martin and Izar Tarandach unpack the tension between innovation and responsibility, challenging security leaders and developers to rethink how they build and secure code in an AI-driven world.
⬥GUEST⬥
Izar Tarandach, Sr. Principal Security Architect for a large media company | On LinkedIn: https://www.linkedin.com/in/izartarandach/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
In this episode of Redefining CyberSecurity, host Sean Martin sits down with Izar Tarandach, Senior Principal Security Architect at a major entertainment company, to unpack a concept gaining traction across some developer circles: vibe coding.
Vibe coding, as discussed by Izar and Sean, isn’t just about AI-assisted development—it’s about coding based on a feeling or a flow, often driven by prompts to large language models (LLMs). It’s being explored in organizations from startups to large tech companies, where the appeal lies in speed and ease: describe what you want, and the machine generates the code. But this emerging approach is raising significant concerns, particularly in security circles.
Izar, who co-hosts the Security Table podcast with Matt Coles and Chris Romeo, calls attention to the deeper implications of vibe coding. At the heart of his concern is the risk of ignoring past lessons. Generating code through AI may feel like progress, but without understanding what’s being written or how it fits into the broader architecture, teams risk reintroducing old vulnerabilities—at scale.
One major issue: the assumption that code generated by AI is inherently good or secure. Izar challenges that notion, reminding listeners that today’s coding models function like junior developers—they may produce working code, but they’re also prone to mistakes, hallucinations, and a lack of contextual understanding. Worse yet, organizations may begin to skip traditional checks like code reviews and secure development lifecycles, assuming the machine already got it right.
Sean highlights a potential opportunity—if used wisely, vibe coding could allow developers to focus more on outcomes and user needs, rather than syntax and structure. But even he acknowledges that, without collaboration and proper feedback loops, it’s more of a one-way zone than a true jam session between human and machine.
Together, Sean and Izar explore whether security leaders are aware of vibe-coded systems running in their environments—and how they should respond. Their advice: assume you already have vibe-coded components in play, treat that code with the same scrutiny as anything else, and don’t trust blindly. Review it, test it, threat model it, and hold it to the same standards.
Tune in to hear how this new style of development is reshaping conversations about security, responsibility, and collaboration in software engineering.
⬥SPONSORS⬥
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
ThreatLocker: https://itspm.ag/threatlocker-r974
⬥RESOURCES⬥
Inspiring LinkedIn Post — https://www.linkedin.com/posts/izartarandach_sigh-vibecoding-when-will-we-be-able-activity-7308105048926879744-fNMS
Security Table Podcast: Vibe Coding: What Could Possibly Go Wrong? — https://securitytable.buzzsprout.com/2094080/episodes/16861651-vibe-coding-what-could-possibly-go-wrong
Webinar: Secure Coding = Developer Power, An ITSPmagazine Webinar with Manicode Security — https://www.crowdcast.io/c/secure-coding-equals-developer-power-how-to-convince-your-boss-to-invest-in-you-an-itspmagazine-webinar-with-manicode-security-ad147fba034a
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
Interested in sponsoring this show with a podcast ad placement? Learn more:
Sean Martin: [00:00:00] And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP magazine. This is Sean Martin, your host, where if you listen to the show, you know, I get to talk to lots of cool people about cool topics ranging all over the business from, uh, security operations to, uh, managing risk and privacy and meeting compliance.
And, and of course, at the core of a lot of the business, especially today, is. Technology companies, companies use and build technology to enable them to achieve new things for all of its customers and partners. And I don't know, I I, I'm thrilled to have Azar on with me. Azar, how are you? Are, are you feeling the vibe my
Izar Tarandach: Thank you. Um, I feel the vibe. I
Sean Martin: feel that I.
Izar Tarandach: We, we are vibe podcasting here. It's, it's extremely, uh, vibing. Yeah,
Sean Martin: It, this is gonna be a vibe pocket. There's no rules, no script. We're just gonna go with the flow, which is the whole thing
Izar Tarandach: we'll [00:01:00] just click and see where it goes.
Sean Martin: Just let, let it, let it happen. Uh, so the, the topic today is vibe coding, and, uh, we're gonna have a lot of fun with this, I think. Uh, before we get into it, uh, fellow podcaster, isar, uh, a little bit about yourself, uh, what you do and who you talk to on your podcast, perhaps even.
Izar Tarandach: So first of all, thanks for having me here. It's really, um, no less than an honor to be in such a established and and popular podcast. So thank you for the opportunity. I. And, uh, I am currently a senior principal security architect in a very large entertainment organization. And, uh, prior to this, I, I have worked in, in a number of big, not so big and small places.
So in the last, I don't know, hurts to say 20 something years almost, I, I have amassed a lot of, uh, um. Experience [00:02:00] seeing different facets of security, working, not working, things improving, things going backwards. So I, I like to think that I am equipped to give op opinions. I don't expect people to agree with them or even understand them most of the time, sometimes because of the accent.
But, uh, I, I do feel equipped to give them anyway. And since nobody's paying me to give opinions, I feel even more equipped to say whatever I'm thinking without. Thinking of, uh, other stuff like that. Right. And, uh, I'm very, uh, fortunate to be able to do that almost once a week with Mito calls and Chris Romeo in the Security Table podcast, where basically we just tune in to have fun and riff about something that is, uh, uh, related to security somehow, specifically application security.
And, uh, many times we have circled around this, this topic that we're going to [00:03:00] vibe on today, but we haven't really touched on it. And, uh, I think Wednesday I had, uh, an impromptu rant on LinkedIn and I think that that's what
Sean Martin: yes.
Izar Tarandach: let us do it here.
Sean Martin: Absolutely. Thanks. Thanks for pointing that out. I'll include a link to that, uh, to that post, which is the inspiration for me reaching out and, uh, and inviting you to join me. And hopefully you'll share with me an episode that you, you all do when you, when you have it as well. Um, so I can hear, uh, the, the broader perspective.
I know, uh, we were hoping to get somebody else on with us today, but that, that wasn't happening. But, uh, the two of us, we'll vibe well together nonetheless. Um. So, yeah, so clearly my audience, security leaders, CISOs, um, folks working in the SOC analysts, uh, system managers, system engineer, architects, a whole lot of folks, uh, get the joy of [00:04:00] securing stuff that's bought commercially, securing stuff that's, that's implemented by solution providers and tuned and tweaked to match the environment stuff built by.
Companies themselves. Um, and it's that last part that I think, at least my perspective is the most challenging for security teams because they have an opportunity to make a difference in what gets developed and employed. But there's a lot of, a lot of angst in that relationship and, um. And I think a lot of organizations I've worked for, some large ones and some smaller ones where they develop stuff and most of the time there's a, a structured process, some lifecycle of, of coding lifecycle and process for how to build stuff.
And teams kind of follow that. Or we're talking about today though, is vibe coding, which is on the other end of the [00:05:00] spectrum where it's not. Here's a, here's a, here's a way to develop code, but it's a feeling of code, right? And I'm not gonna do it justice. My understanding of what it means. Maybe, maybe you can kind of take the reins here and, and give us a, a feel for a feel for what vibe coding is.
Izar Tarandach: So I'm probably not going to make it justice as well, but I, I can offer what I understand of it and what prompted my rent. And apparently, I forget the name of the gentleman, Carti or something like that. He came out with, uh, a post on X describing a situation or an experience where he started interacting with, uh, uh, an LLM.
And basically describing the things that he wanted to happen and describing his design. And apparently this massive of code functional working code just emerged in some magical form and all of a sudden things were ready to [00:06:00] deploy, publish, or whatever, and everybody lived happily ever after.
Sean Martin: I'm gonna pause you quickly 'cause I did a little bit of research and evidently early days of Twitter, Dorsey and team actually used a form I. According to our good friend, uh, uh, prompted through an l uh, uh, LLM based or user interface based LLM, uh, so early days of Twitter, vibe, code driven, uh, and evidently there's a hardcore mode.
At the current X, that is also five driven according to, uh, this, this particular resource. Um, so there are large organizations, even if it's one was our infant state, then the new iteration of it is not an in in its infancy. But, uh, there organizations using this model for sure, or a style.
Izar Tarandach: you know, uh, my, [00:07:00] my, my question to the world at large, apart from the obvious why, where the answer is, uh. Because we can,
Sean Martin: That's usually the case.
Izar Tarandach: my, my real question here is haven't we learned anything? Are we really, really willing to go by and just repeat the errors of the past and now even intensify them in the name of, uh, chip and Fast?
Doesn't anybody remember the cheap, fast and good thing? So.
You know when, when, when I see people claiming the, the absolute advantages and and miracles that vibe coding can, can bring one, and having experienced myself experimented and you know that there is a feeling of acceleration to be able to just. Describe what you want, or, or, [00:08:00] or just select a piece of code and say what you really, really wanted to do and just see things happening in, in front of us.
Right. And when it, when it works, it works. Wonderful. So I don't want anybody thinking that I'm some kind of blue diet here that's like screaming at the blue sky and say, oh, my day, it was harder. So today it has to be harder to know.
Sean Martin: get off my lawn.
Izar Tarandach: Exactly. Exactly. I'm, I'm, I'm, I'm fine with progress. What I'm less fine with again, is not learning from the past.
Right. Best of my understanding today, coding AI is what we should be classifying as a junior programmer. Sure. They, they know how to write the Fibonacci. Sequence functions wonderfully and they know how to sort metricses and whatnot because that stuff is in the books that were used in the model, but starts requiring [00:09:00] a bit more from it, requesting a bit more from it, and, and things take a turn very fast.
Apart from that, they have many times been trained on perhaps code that wasn't the best and. Add to that hallucination and things start getting the, the, the delta of acceptance here starts getting way too large. Right?
Sean Martin: Yeah, let, let me, uh, I'm gonna play a little down. I'm, I'm on your side mostly, I think, uh, just 'cause I have, I have enough
Izar Tarandach: we, we haven't yet said what my side is.
Sean Martin: I, that's true. I have a feeling though, but, uh, I dunno. Maybe not. But anyway, I've seen a lot of, seen a lot of stuff in 30 plus years that I've been doing this too. But, so my devil's advocate side is.
Perhaps, and I don't know, maybe if we look at it from a security perspective or I'm always ranting, security gets left behind in the innovation, uh, on the [00:10:00] innovation train. Maybe there's an opportunity here, but I guess my point is if the, the, the feeling of what I want to achieve can be expressed, perhaps I can see an outcome that I want.
And find a way there technically with the code that I might not be able to do just by knowing how to code properly. So that's my devil's advocate side of saying is there, is there an opportunity? Now I'm not saying build stuff and then let it let it fly. I think to your point of junior programmer. Have to be some guards, guardrails and some checks and balances, and maybe you shore up the team with different skill sets and different, different sets of processes that help adjust for this.
But I, I just think because a lot of times building stuff, a lot of time you get caught in the code and you forget [00:11:00] what the objective is or what the outcome should be. He might even reach the objective but not achieve the ultimate outcome. With the code that gets built. So I, I'm gonna leave that there, 'cause I, I'm probably stirring up a lot of thoughts for many
Izar Tarandach: let, let me, let me start by saying I think that it's, the final outcome is the scenario that you're describing. I'm just gonna throw out there that if you're on one side of the river and your final objective is to get to the other side of the river, if that bridge between both points is going to fall, as soon as you step on it, it doesn't help that you are seeing your objective. Right? The, the bridge got got constructed, but it, it's Ricky, it's gonna fall.
Sean Martin: You have to swim across.
Izar Tarandach: My my point is that today, and again, I'm not an all ide, so I recognize that we have really, really, really good tooling out there that can help us make that bridge stronger, right? We, we have some great examples of [00:12:00] even AI based stuff that's really code and checking for security, but even that stuff is fallible.
Perhaps it's, it has been better trained towards security, but it's too fallible. But it's, it's valuable in the same way that other more traditional tools are. My point is that historically we have had a problem with educating programmers start security. It is, it has been, in my experience, one of the, the most difficult, uh, uh, obstacles to go over.
Doesn't matter how much guidance we give them. Doesn't matter how many FAQs we ask them to write. Doesn't, uh, it doesn't matter how many, uh, reductions we do in the requirements, just bringing things to their absolute principles and asking them to have that thing in mind. It's extremely difficult.
Security is still seen as an obstacle, which might be one of the reasons why people like so much [00:13:00] the idea of, uh, describe and, and run programming. The problem again is that this being at the level of the junior, uh, junior, uh, uh, programmer, we have to consider that that code has to be treated in a way that we have to declare it.
It's not security. I know it's secure. It has to go through the SDL, it has to go through all the tools that we have to apply into code. It has to go through all the testing. Then all of a sudden people are going to say, but wait, I, I, I used vibe coding. Of course, the, the, the code is perfect. The machine wrote it, right, my specification, but the machine wrote a code, so it must be perfect.
And believe me, there's a lot of people assuming that out there. So what I'm worried about is that now we are going to start creating this huge, huge, huge mountain of risk that at the end of the day is going to come out as a huge iceberg of risk. We are not going to apply these tools that we fought so hard to put into place to make things [00:14:00] more secure because people are just going to assume that somebody did it for them in the training of the model or in the writing of the code or the tool that you're using to, to do your vibe coding.
And that's just going to, to exponentially raise the attack surface that we have to deal with. Right.
Sean Martin: Yeah. Oh yeah. Go ahead.
Izar Tarandach: Now I, I, I go back to in, in my rent. I go back to the, the days when, uh, visual basic came out, right? For those who remember, and some people said, that's it. We don't have to write code anymore. You can just draw your forms and create a business logic, and the code will write itself and.
The challenge was what? What if you want to do something that Visual Basic is not equipped to do, you want to change some format or something, you have to go into the code and actually see what was written in there. So all of a sudden you have to understand the code. All of a sudden you have to be able to modify it in a way that's not going to break anything else.
So we are relying on vibe coding for [00:15:00] people and, and I have met these people who reported they are not holders to launch their amazing services and apps. What happens at three in the morning when they have a a, a security incident, and I have to deal with that, and only then they're going to sit down and say, wait, what?
What does this code do? And why do I think that I'm equipped to learn it or to understand it?
Sean Martin: Yep. You bring up two good points that, uh, quickly surfaced for me when I was poking around. Looking at this one is interoperability, so I. This stuff can affect, right? Whatever comes in, if the, that changes could affect how this thing works and the outcome going up upstream or back, wherever it's going next can also be impacted, um, which may not vibe on as you're coding that piece.
Um, the other thing that surface, which you touched on as well, I think. Is, uh, the, the, the legacy, right? We, we carry this chain of stuff around [00:16:00] with us, and if somebody needs to your point, somebody needs to go back in and understand how, why is this doing it this way and how does it work? And how, how can I change it to now fit into whatever else we're working on now, or fix a problem or a vulnerability that that's, that's surfaced because of it, it, it becomes. A challenge for the teams that, uh, that need to deal with this code. So, um, even just from a, even just from a process and long longevity and sustainability of, of the system you're building, I think it, it introduces a lot of fun stuff to, that needs to be considered anyway.
Izar Tarandach: Yep. Yeah, and, and I don't think that people are aware of the, the risk that they're carrying or starting to carry. I. Especially in big corporations who are taking the reduction approach to, to this and saying, 60% of all code is going to be written, blah, blah, blah, blah, blah in 2000 and whatever. [00:17:00] But they're not considering that code.
Code gets written, but code needs to be maintained and environments need to be protected, and that code is the frontline of that protection. It's, it's the entry point where bad things are gonna happen. So what are you gonna do when you notice that the machine that wrote the code isn't as good as read at reading it and understanding what went wrong or simply refuses to work with you?
As we have seen some cases in the past two weeks where somebody asks for a, a, an assistant to write code and the assistant says, no, no, no, I think that you should write this code. Right. I don't know if ING jest or not, but I've seen it. I haven't looked under the hood to see if it's true or not, but it's out there.
Sean Martin: I, I can't help it. I'm, I'm, that's a, it's a squirrel moment, but you, your shirt, I dunno if you wore it purposefully or a sweatshirt or whatever.
Izar Tarandach: Oh, yeah, yeah.
Sean Martin: Can you, can you show it to
Izar Tarandach: my,
Sean Martin: I'll place you with a, I can't, your name's over us. I can't read
Izar Tarandach: oh, uh, a very short prompt.
Sean Martin: [00:18:00] very, there we go. Nice one. Yes.
Izar Tarandach: it, you remember that back in the day you would say, go away or replace you with a very short script.
Sean Martin: Yes,
Izar Tarandach: So now it's a very short prompt, so I'm adapting to the times. But, uh, at, at the end of the, the, the, the day, what, what I'm, I'm worried about here is that, uh, uh, we may be giving up too much too soon. In other words, sure.
It's a great piece of technology. It can do great stuff. But perhaps it's not up to where it should be for us to start giving it mission critical, uh, uh, uh, responsibilities. And beyond that, you know, if, if you look at the, the threats against, uh, uh, models that have already been identified, and I, I joked it the other day that somebody found something.
Now that [00:19:00] you can actually. Write rules that get somehow included into an assistant, and that somehow gets included into the way that the assistant writes code, and that somehow puts bad codes on purpose inside whatever code comes out of there. So there's a lot of, this needs to happen, then this needs to happen, then this needs to happen.
But at the end of the day, with the, the ease that we have today of pulling. Models that say that they do some magical thing and people don't quite look at it and or people are not even equipped to understand if, if they do that or not. And with all the supply chain stuff that we have seen been seen in the last few years, now we are introducing this new thing, which is supposed to write code for us, which suffers from the same supply chain problem as other things, perhaps even more so because.
We can't check it as promptly as we would in say, a Python package. [00:20:00] Right. And again, now we are giving it the, the keys to the business and saying You run now on top of that at the fact that it's, it's funny to me that people seem to be running away from the fact that coding is basically too formal and you have to know this language in order to get your code to do the thing that you want.
But now to me, they seem to be removing themselves one step further and saying, now I have to explain clearly in some human language what is it that I want to do so that my code can eventually write, so that my machine can eventually write code that will do what I want to do. So now you have two levels of interaction, and I dunno if you've been following lately, but people are really bad at expressing themselves.
Sean Martin: There's that too.
Izar Tarandach: So what's going to happen? Somebody's going to say, oh, you know what? This English language that we used to talk to lms, it's too open. We have to create a, a language based on English that is going to be easier for the [00:21:00] LLM to understand. And now we're back to formalization. And now we have, again, two levels in direction.
And now what we debugging English in order to debug code. And where does it go? Right?
Sean Martin: Exactly. I. At the core of all this as well, which is maybe why organizations are looking to replace people with stuff like ai. People get lazy, people get tired. People hit a certain point and they go, that's good enough. Or I'm, I'm tired of, I'm tired of beating my head against this problem. I'm, I'm just gonna let it go as it is.
Um, because. I have this next task that's on my plate, uh, so I can get my bonus or not get fired or whatever, whatever it is that's driving them. Um, and I, I'm so glad you brought up the supply chain because I mean, the whole, whole thing of microservices and open source code and, and, uh, third party services that are getting plugged in, I, I would imagine a lot of, especially a [00:22:00] lot of the, uh.
A lot of the open source stuff is vibe driven, especially now.
Izar Tarandach: No, no, no, no, no, no, no. I, I, I don't think so. I mean,
Sean Martin: No.
Izar Tarandach: I, I'll be the first one to say that I have like the utmost respect. For anybody who steps up to write an open source package that actually gets adopted and used, 'cause that person is just waking up in the, the in the morning and asking to suffer the whole day.
Right. I don't know if you ever went into like GitHub issues part of any big project and see what people demand from the developers to do for them. No, I, I, I don't think that those people are coding. I think that those people. Take their work very, very seriously.
Sean Martin: All right.
Izar Tarandach: more so than some commercial, uh, efforts.
Sean Martin: yes. No, I, I do agree with you and I, I think I misspoke there. I'm, I'm thinking more of the, the either. I was singing open source with a name to be [00:23:00] commercial where they'd have, they have the, the desire to make
Izar Tarandach: Yep. Yes, yes,
Sean Martin: I know, I know the, I know the community you're speaking to
Izar Tarandach: Yeah. No, no, no. You, you, you got a point there. You.
Sean Martin: wholeheartedly, but I think there, there are plenty of services that will go out and look up for, look up information on uh, who has a home or whatever, right?
That data research and whatever that I wanna plug in so I can use that information. I don't wanna write that myself. I, anyway, I, I think there's a lot of, and will certainly be more of vibe. Written code.
Izar Tarandach: That there's, I, I, I, if I get correctly what you're saying, that there is, there's a lot of plumbing laying around. People are going to connect to the plumbing with the vibe coating. So information that might be protected behind the, uh, safe and secure system eventually might get exposed by something that was vibe codes coded because it doesn't have the same level of, uh, uh, responsibility applied to it.
I'm, I'm just using the [00:24:00] data that I gave me, right? But here I am just throwing everything in the ground and leaving it exposed for anybody who doesn't have the initial access to that other thing.
Sean Martin: Yeah.
Izar Tarandach: I, I, I think I see what you mean and yeah, it's, to me, it's definitely a, a worry. But, you know, again, I, I, I'm not saying don't do it.
I'm not saying don't work this way. I'm not saying don't develop this approach. What I'm saying is before you embark into it completely, before you jump into the pool, check if it is the right project, the right time, the right way, or don't just blindly trust it, as many tend to do. Things are going to be fine just because you didn't insert any mistakes in there.
Sean Martin: Right.
Izar Tarandach: Sometimes the mistake is inside the machine.
Sean Martin: Exactly. So I'm gonna, I'm gonna do the, maybe spend a minute here on this next thing that I'm thinking of, and then I want to get into maybe how we can guide some folks on, on, uh, what to do, knowing what we just [00:25:00] talked about. Uh, so I have another podcast that's all about music and
Izar Tarandach: hmm.
Sean Martin: looking at technology and creativity and combining those two.
Make new stuff and experience new things and um, I had a conversation the other day, it's not published yet, uh, with a good friend of mine. He is a dj and a DJ is all about vibing with the room. And so one has to meet if you wanna be successful, meet. The needs of the group that you're performing for, right?
Which means you might turn the volume, might change the tone, you might do the speed, da da da da. You might give 'em a chance to get to the bar. You said get a drink. So when they come back for the next song, they're ready to rock and roll. The point being, you, you, you meet the needs of that environment. So I'm wondering if there's a way to, uh, I'm always looking at things all realistically, if there's a way to guide the vibe for [00:26:00] coding.
Is appropriate for the room so that it has a sense of safety built into the vibe. So as you're creating that vibe, it, it's kind of shaped with what the room is expecting as well. Now granted, you still have to have the, you still need to guide it too. You can't be a moron.
Izar Tarandach: You, you, you know, you touching to something extremely interesting to me because a lot of people, I guess I, no, I don't guess, I know a lot of people get attracted to this new trend because all of a sudden they can talk to a prompt. They, they can just prompt a, a, a model and get exactly what they think that they, they need back.
They don't have to talk to other people. We, we are very bad in, in computing. Yes, stereotype, but I'm going to own it because I've seen it, because I've been it. We are very bad at talking to other people, and for some of us, talking to a machine is very comforting. [00:27:00] When the whole thing of pair programming came up, I tried it and I liked the beat of having somebody working and thinking with me on the same piece of code.
I didn't quite like the idea of one keyboard for two people, but uh. That back and forth of being able to discuss with something in real time. The codes that was coming up around this, this idea that we were, were having. To me it was very attractive. What I understand is happening with Vibe Code right now.
I think that it's in, in my old fashioned understanding, it's more of a zone calling. You get to talking to the LLM and you get into the zone where you're expressing yourself and you're seeing the result coming back. You are translating that feedback into something, into some refinement of the prompt and asking the machine to make changes, right?
But it's less of a back and forth with the machine, unless you would think that the code being spit back at you is the machine giving [00:28:00] you the back, but it's not giving you ideas. It's not questioning your ideas. It's not saying there's a better way of doing it or a different way of doing it. It's it, it's not like what I believe to understand a, a jam session.
It's not two people briefing together like, like even like what we're doing here. The machine is not coming back to you and saying, oh, have you considered this other approach or this other idea? No, the machine is just doing what you want, what to tell you to do, what you think that you want it to do. So I think that it's more of a zone thing of getting into that place where you are holding your design and, and, and having your requirements in your head aligning to a way that it's easier for you to explain to the model what it want and leave it to the, leave it to do the heavy lifting of writing the code. Right. So that's where I think that it goes a bit different from this very difficult job that I understand as a DJs.
Sean Martin: Yeah, yeah. Yeah. There's a, yeah. Really no feedback loop.
Izar Tarandach: Mm-hmm.
Sean Martin: No, no, no. Collab. Which [00:29:00] maybe that's, that's another interesting point, right? How, how
Izar Tarandach: Or, or there is, but exactly. The people who are using this the most are not the ones equipped to understand the feedback that's coming from the machine. 'cause it's coming in the form of code.
Sean Martin: Right. Right.
Izar Tarandach: Right. You ask, gets to write an app. You are not looking at, show me the code you are. You are asking, show me the app, and then you fix the prompt based on what the app is doing or not doing. You're not looking at the code and saying, oh,
Sean Martin: The apps of
Izar Tarandach: this is what's happening. The app is the
Sean Martin: As long as, as long as somebody's looking back to that whole point, as long as somebody's still getting the, the result and the outcome. Uh, too, too, uh, too crazy. I. Super fun times though, isn't it?
Izar Tarandach: Look, we, we, we always had crappy software, but we always put a lot of energy into fixing the crappy software. Now it seems to me that we are putting too much energy into creating more crappy software.
Sean Martin: Yeah. Yeah. And everything's custom as well. Um, well, I'm [00:30:00] having, uh, Jim Manco and Jimmy messed on
Izar Tarandach: Oh.
Sean Martin: for, uh, we're gonna talk about. Secure code training and all a bunch of stuff there. I'm gonna, I'm gonna have this.
Izar Tarandach: You see, Jim is the guy. Jim is the guy. 'cause he, he had a, a, a, a tweet. It was a tweet at the time, I think 2017, that I use it in almost all of my presentations where he says that, uh, developers willing or not, are now the frontline of security because their code is what goes in front of the world and, and gets popped.
Right? I'm, I'm paraphrasing of course, but I, I always use those words of his. 'cause people don't even know that they are now an attack factor, that they are, that they are enlarging the, the attack surface. So I, I, I just see this as, as one step in the wrong direct. One more step in the wrong direction towards what he's saying.
Sean Martin: Yeah, it's, uh, it's incredible. Jim's a good guy. I'm glad to, glad to know him and [00:31:00] also call him a friend. Um, so let's, uh, yeah, so I'll, I'll, I'll include a link to that, uh, to that webinar when, when, uh, in the show notes when this comes out. But, uh, I wanna speak to. Security leaders, their engineering, uh, peers in the organization.
What, um, what advice can we give them, um, kind of as we wrap up here? So, uh, clearly if, I don't know if there's stuff they can do in the soc and, and detection and response, but that, that's gonna be too late. So maybe we focus a little further, further upstream and.
Izar Tarandach: look
Sean Martin: what, what do we tell them? How do we, how do.
Izar Tarandach: the end, at the end of the day, we are talking software production. So waiting for the sock is definitely too late, right? So what I would say is, instead of trust but verify, [00:32:00] don't trust and still verify. Right. Don't let yourself be taken by the optimistic view that things are going to be fine.
Treat it as a junior developer. Treat the code that comes from a machine as a junior developer. Apply the same filters that you would or otherwise still do your code review. Use all the tools that you have at your disposal to check that code. Do not accept it as is and think that it's magical code just because a machine wrote it.
Sean Martin: Are there other special things they need to do though? I'm just wondering. Well, let's, let's think of even at the highest level, do I need, do I know if I have any vibe code running? Is that an important thing?
Izar Tarandach: just assume you do
Sean Martin: Assume you do. Okay, there we
Izar Tarandach: Just assume you do.
Sean Martin: All right. And do you treat it differently? Do you have to go after those parts differently perhaps, or do you just bundle it all in with the rest of the
Izar Tarandach: I, I wish I could stay treated [00:33:00] differently because then it would be saying that the code that you have, that it's not vibe coded is somehow already more secure.
Sean Martin: We're not there yet, though.
Izar Tarandach: We're not there yet. So what I'm saying is treat it exactly the same. Don't make it a special thing just because it's vibe coded. Okay. And if you are one of those many startups nowadays that profess to the fact that they are completely vibe coded, at some point you are going to have to demonstrate security.
Whenever you're acquired or whenever you start giving services to big corporations that have all their security intake, uh, uh, uh, procedures and processes, you are going to have to, to, to prove security. So be ready for that. Get in front of that threat, model your stuff. Check your stuff Pen, test your stuff.
Sean Martin: Do, do you know of anybody doing, uh, vibe Devs? Sec? I, I come from the world of qa. QA is a vibe, QA where, where I [00:34:00] did also Devs
Izar Tarandach: You know,
Sean Martin: I did qa, but.
Izar Tarandach: vibe QA is something that I could get behind because I, I still think that QA is a lot of, uh, feeling, uh, you look at something and you say there's something fishy in there. I. Then you, you follow down and you follow and follow and you end up finding something. And that's also vibes with the, the word of, uh, threat modeling.
Right?
Sean Martin: Yeah.
Izar Tarandach: And I am just expecting at any moment, somebody to come and, and talk about vibe, threat modeling.
Don't know what my reaction will be. I'll wait and see. I'm, I'm, as they say, I'm reserving judgment for, for when that happens.
Sean Martin: Well, as soon as you say that, I'm, I'm going back to my DJ thing. Some, somebody's gotta be the, the feedback to the threat model response.
Izar Tarandach: Somebody has to be the Between the microphone and the
Sean Martin: Yeah, exactly. Exactly. Ah, well, such, such a fun topic. Thanks for, uh, thanks for putting that rant out there and, uh. [00:35:00] I guess thanks to LinkedIn for feeding it to me, and, but most importantly, thanks for, uh, thanks for joining me on the show here today.
Izar Tarandach: Oh, thank you.
Sean Martin: uh, hopefully folks, uh, were vibing along with us. I hate to over overuse it now, but no, seriously, I hope everybody enjoyed the conversation. Uh, my whole goal is to get people to think, take some action on, uh, what they're doing with the program so we can help protect the business and. The revenue that it generates.
Izar Tarandach: definitely.
Sean Martin: So, Azar, thanks so much. Uh, hope, hope to see you again soon. I'll look forward to your episode on this topic. Uh, when it comes out, please do share it with me
Izar Tarandach: We are going to have
Sean Martin: uh, I'll share with my audience too. And everybody listening, watching, thanks for joining me here on Redefining Cybersecurity as we hope to do just that.
And, uh, please stay tuned for more, uh, share and subscribe and, uh, we'll see you on the next one. Cheers, everybody.