Secure vibe-coding is an oxymoron: Here’s how to change that

A reality check for no-code development

A new wave of “vibe coding” platforms is putting software development in the hands of anyone, not just trained engineers. Users can design and deploy full-stack applications entirely using natural language, AI models, and low-code/no-code tools. But, as a recent security incident shows, there are still major wrinkles to iron out, especially as it pertains to security risk.

Last month, Semafor Tech reported that one of the hottest startups in this space, Lovable, had inadvertently exposed sensitive user data across hundreds of applications built on its platform. The issue stemmed from misconfigured Supabase databases, a risk that thousands of companies may unknowingly face as AI-assisted development takes off.

While on one hand we’re seeing a powerful democratization of software development, allowing more people to be creators with fewer resources and less training, there is also an obvious and consequential gap in terms of knowledge of best practices and engineering principles, especially as it relates to building apps with strong security.

Quoted in the article, Simon Wilson, creator of Datasette, says:

“You can’t just give people a database and expect them to get it right. It’s the single biggest challenge of the next few years.”

What happened at Lovable?

Lovable, a YC-backed startup promising “vibe coding” for the masses and claiming to be the fastest-growing company in Europe, allows users to build sophisticated apps via AI-driven text prompts. The platform leans heavily on Supabase, an open-source backend-as-a-service tool that provides instant PostgreSQL databases for new apps.

But when Matt Palmer, a Replit engineer, analyzed Lovable apps, he found that 170 out of 1,645 public apps had insecurely exposed their databases, revealing secret API keys, user account data, private messages, and even payment information.

Palmer responsibly disclosed the issue via the National Vulnerability Database. Lovable has since tightened its onboarding process and published guidance to reduce (but not eliminate) the risk of similar misconfigurations.

The story underscores a deep problem: AI-accelerated development workflows often skip traditional security reviews and rely on non-experts making critical architecture decisions. As former Facebook CSO Alex Stamos warned:

“The odds of a user correctly configuring a Supabase backend with Postgres to be secure are extremely low.”

The unsatisfying reality

Lovable’s solution is not very convincing, as it essentially puts the onus on the user to know exactly how to configure their applications and databases correctly to avoid security risks, despite marketing their tool as the “last piece of software”. Users overestimate the security controls and most nontechnical users simply don’t know what they don’t know.

As AI-driven and low-code/no-code platforms surge in popularity, they’re pulling more non-developers into building software. These users move fast, often without deep understanding of secure architecture. The result: a growing surface of exposed databases, hardcoded secrets, misconfigured APIs, and unclear ownership.

At the same time, attackers today aren’t experimenting with 1990s tools. They’re using automated scanners, breach marketplaces, and advanced AI to find and exploit these weak points instantly. Insecure app configurations that might have gone unnoticed for months a decade ago are now targeted in hours.

And platform providers are struggling to communicate these risks clearly to their user base. Developers and hobbyists often assume that built-in defaults or AI-generated code will “just work”, without realizing they’ve exposed sensitive data to the public internet.

Apiiro’s role in this new world

This is exactly where Apiiro comes in. Providing deep, continuous visibility into software architecture, including the misconfigurations and insecure patterns that vibe coding and AI-assisted development can introduce. While traditional AppSec tools focus on periodic code scans, Apiiro builds a real-time Software Graph that connects:

• Application code
• Generated configurations
• Infrastructure components
• API endpoints
• Secret and credential usage
• Deployment posture

As these environments change, whether through manual updates, AI-generated code, or platform defaults, Apiiro continuously assesses risk and flags exposures early.

If a team using an AI coding assistant unknowingly exposes a Supabase database, hardcodes an API key, or leaves an authorization bypass in place, Apiiro surfaces and shows them the risk before it ships to production, not after an attacker finds it.

And for platform providers embedding AI-assisted workflows, Apiiro helps implement the missing security layer: automated posture checks and policy enforcement that keep pace with non-expert development at scale.

Essentially, Apiiro helps bridge the gap for new developers and vibe coders in enterprises who want to take full advantage of the creativity and productivity of tools like Lovable without exposing their business to unnecessary risk.

The takeaway

AI-assisted development is here to stay, and so are non-traditional developers building software. That’s not the problem. The problem is twofold: first, a critical disconnect of security responsibility in vibe coding; and second, the fact that most organizations lack a way to see and govern what these new workflows produce.

Unfortunately, incidents like Lovable’s will keep happening until security becomes a baked-in part of the development process. Apiiro gives companies the visibility and control they need to make sure speed doesn’t lead to exposure.

If you’d like to learn more and see for yourself how Apiiro helps teams secure AI-driven and low-code development, request a demo.