In-Depth
Coding with AI: Why Verification Matters More than Vibes
AI-assisted coding has never been easier. A simple natural language query can create usable code in just a few seconds. AI models are also useful for translating code into another programming language, debugging, or even figuring out how code works. Even so, there is a growing trend called vibe coding that is becoming all the rage.
Vibe coding refers to the practice of accepting AI-generated code without really taking the time to look at it. This approach to development can be a huge timesaver and can be especially appealing to developers who are under time pressure. Even so, practice carries significant risks.
One of the biggest risks associated with vibe coding is the simple fact that the practice is based on developers copying and pasting AI-generated code without taking the time to understand what the code is actually doing or how it works. That might be OK in the short term, but it seriously complicates long-term code maintenance. After all, it is difficult to update or modify code that you didn't write and don't necessarily understand.
Another possible issue with vibe coding is that over time, vibe coding may degrade developer's skills. After all, if a developer gets to the point at which they are relying on AI to do the bulk of their coding work, they can begin to forget things.
Finally, when AI generates code, it is difficult to know for sure whether or not the code was written with security in mind. I recently saw some AI-generated code for example, that would have been vulnerable to SQL injection attacks. Insecure AI-generated code can make an organization vulnerable to attack, but it can be especially problematic in regulated industries where there may be severe penalties for operating in an insecure manner.
Even if you were to put aside the possibility of AI generating code that is insecure, there is another security related issue to consider. AI will sometimes leverage external libraries or even middleware when generating code. When this happens, the code won't run without the required dependencies, and those dependencies (depending on what they are) could very well contain known security vulnerabilities.
None of this is to suggest that AI has no place in the code development process. AI-based development has enormous potential for expediting the development process, while also driving down costs. It's safe to say that AI-assisted development isn't going anywhere. Even so, it's important not to fall into any of the common traps.
The most important thing that any organization can do when working with AI-generated code is to perform a comprehensive code review to make sure that the code is well written and that it adheres to all of the organization's security requirements.
Another best practice is to avoid the temptation to just ignore anything that you don't understand. I have occasionally been guilty of doing this myself, and I'm sure I'm probably not the only one. If you don't understand how AI-generated code works, ask the AI to explain it to you. If the explanation doesn't make sense, then ask for a simpler explanation. You really don't want to put code into production if you do not understand what the code is doing.
Yet another best practice is that you shouldn't abandon your organization's coding standards just because AI is writing the code. This goes beyond just making sure that the code is secure. As an example, you should make sure that any AI-generated code adheres to all of your organization's usual naming conventions.
My own experience has been that AI-generated code is often messy and difficult to read. As such, I recommend taking the time refactor any AI-generated code as necessary to bring it into alignment with your organization's standards. Likewise, if your organization normally requires code to be heavily commented, then the same should apply to AI-generated code. In fact, AI can comment the code for you if you ask. When you are done, you shouldn't be able to tell the difference between code that has been written by AI and code that was written by one of your organization's developers.
Another best practice is to be absolutely relentless when testing AI-generated code. I have found that AI will sometimes omit things from the code in an effort to make the response fit within the model's token size. Unless you take the time to thoroughly test the code, you might not notice these omissions until after the code has been placed into production.
To give you a personal example, I recently wrapped up a major coding project. I was pressed for time, so I had initially planned to let AI write the bulk of the code. However, after some early testing, I discovered that at least some of the AI-generated code lacked input validation and that the code would likely crash under the right conditions.
As such, I chose a different approach for my project. Rather than letting AI write all of the code, I wrote the vast majority of the code myself. However, I used AI for other things. For example, I used AI to optimize my code. I also used AI to help me to test the code and I used AI as a coding tutor when I needed help figuring out a tricky function.
My advice would be to use AI for generating boiler plate code and to assist developers when a skills gap exists. However, anything that is mission critical (or even application critical) should probably be coded by hand unless you have a process in place for performing a deep code review.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.