richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Various/LLMs and Vibe Coding/Application Security for Vibe Coding.md

2.8 KiB
Raw Blame History

Application Security for Vibe Coding

Suggested approaches

  • post your code into GPT or Claude and ask it to analyse the code for security vulnerabilities
  • Open a program on Yeswehack and let people test your security for you
  • use snyk.io or sonarcloud.io or sonarqube to continuously scan for security vulnerabilities
  • GitHub already scans for exposed keys and libraries that need to updated. Not on private repos though I believe (unless you have a paid plan).
  • Look up your tech stack and see if any CVEs are on it. If so look at what migrations can be taken.
  • Have Cursor create a security plan and then run through it.
  • Big thing to look for is where your API keys are located, set up a secure system for that. Maybe use Amazon Secrets Manager of HashiCorp Vault. Or see below for Supabase edge functions.

Tips from u/MoCoAICompany:

  1. Make sure no one has access to your API keys or secrets (I'm using Supabase edge functions for this, but there's a lot of options).
  2. Any user data should be protected and more important user data (think credit card info, social security numbers etc) should be encrypted. The easiest way to handle this is to not have user data or to minimize it as much as possible for the mvp. A few apps I'm building use anonymous users only (this lets me use Supabase edge functions to protect my keys but they don't need to log in)
  3. Keeping things simple if possible is a great way to minimize security risk. Or like using Stripe for payment platforms and piggy backing on their security.
  4. Have Al run a security audit on this stuff or get a good security audit prompt.
  5. Lastly, any API key you put out into the wild you should put a max spend limit on it - like $10, $50 whatever you want so that just in case the keys are stolen you have max losses based on that and also get an email saying your at your limit and then can change keys (and fix security) https://mocoai.com/ai-consulting/

u/infinitelogins mentioned working on a supabase misconfiguration scanner

Checklists

Aikido Vibe Check: The vibe coders security checklist Application Security Checklist on GitHub Full Stack Security Guide on GitHub Top 10 Tips from u/PhraseProfessional54 Security Audit Prompt from u/scragz

Aikido security masterclasses on YouTube