# To be or not to be a VIBE CODER??? ft. Dr. Byrd x Aniket | Ep 8 ## Метаданные - **Канал:** Great Learning - **YouTube:** https://www.youtube.com/watch?v=-iV43lbpmm0 - **Дата:** 15.05.2026 - **Длительность:** 14:50 - **Просмотры:** 293 - **Источник:** https://ekstraktznaniy.ru/video/51753 ## Описание The era of "vibe coding" allows anyone to build software using AI prompts, but it brings unprecedented cybersecurity risks to the enterprise. Discover how autonomous AI agents are reshaping software development, vulnerability testing, and DevSecOps. This discussion explores the rapid rise of vibe coding, a process where users rely entirely on large language models to generate, stitch, and preview code in minutes. While this accelerates innovation and allows founders to build rapid prototypes, it introduces severe blind spots in software supply chains. The conversation highlights the inherent dangers of trusting unverified open-source libraries integrated by AI without human oversight. Cybersecurity professionals, software engineers, and IT leaders must understand these emerging threats to protect enterprise infrastructure. Relying blindly on AI-generated software strips away the visibility required for effective patch management and operational resilience. Integrating AI into the Dev ## Транскрипт ### Intro [] — Hello everyone and welcome to the Cyber podcast. This is Aniket Ambekar and I have with me Dr. Bird. Dr. Bird, welcome to the podcast. Hey, thank you Aniket. Welcome everyone. Uh it's exciting as always to be a part of uh cyber security discussions. Uh we've been talking about uh vibe coding and even mythos AI. Yes. Yes, so true. Today in this episode we are going to uh talk about mythos. We ### What is Vibe Coding? [0:41] we are going to uh talk about mythos. talk about the vibe coding, the new buzzword on the market and what are some advantages, what are some risks that we should be aware of. Now, if you are hearing about vibe coding for the first time, let me give you a quick brief about it. Vibe coding is where you go to an AI tool, much like an LLM, and you can provide an entire prompt detailing your requirements. What kind of form you're looking at, what kind of theme, what buttons you want, what are their outputs. And that's it. You write all of this down and you hit enter. And now the vibe coding tool is going to use coding agents, agentic AI, trained to develop code. It's going to have multiple agents work on that code, stitch it together, and show you a quick preview in not less than 5 minutes. And I even 5 minutes is a long duration. Some models have become even faster. But the point I'm trying to share is even if you don't know how to code at all, you can still build software. What do you think, Dr. Bird? Is that positive, negative? What what's your thought? I ### The Benefits of Rapid AI Prototyping [1:50] think it's positive. You know, when I was listening to your description, some things came to mind. I thought about uh know, software development as you articulate it. We think about strategic implementation and ultimately business workflows. It allows entrepreneurs and innovators, right, to come to a fruition about their different ideas. You can present it to your thought leaders, your investors. It uh improves and enhances innovation. Yeah, very true. It enhances innovation for sure. And earlier any uh startup uh founder would have to write down this description, work with an UI developer, and the UI developer will take their own time, do some more adjustments, and then maybe after two to three weeks, the founder can pitch to any investor about their idea. But now, if I get an idea while listening to a talk in a conference, during the conference itself, I can build a quick prototype and pitch it to the investors in the same conference. So, that time to pitch has really gotten short. But then, the question is this quick fix enough, or is it mature enough that you can deploy it in an enterprise where thousands of users can start using it immediately? What are your thoughts on that, Dr. ### Enterprise Security and Open Source Risks [3:13] Byrd? No, it's definitely not safe yet. You know, to your point, it's in this kind of phase one of design where we see the most benefits, right? The ability to develop a use case with business teams, business units, entrepreneurs, and you can develop it to phase one to show this kind of proof of concept and validity, right? Hmm. But that's where it really needs to stay at this particular point. You're using open-source tools and softwares, and there's unknown vulnerabilities, you know, in this approach of live coding. When we think about traditional ideologies of DevOps, we think about uh libraries and modules that have been designed and uh developed by our software teams, our APIs, they've been vetted, validated, and approved, right? So, we know what we're working with. When you're using open source tools, it's that, you know, supply chain bill of materials that you just aren't aware of. And as we were talking with Mythos, uh as we were opening this session, that's what Mythos is able to identify, you know, vulnerabilities in software and coding. Right. — Right. You know, once you have developed this approach of, "Hey, I understand the assets in my enterprise, not only from a hardware but a software perspective," then you know where those gaps, those vulnerabilities, what needs to be patched, what's at end of life. When you're using Vibe coding open source, you just don't have that visibility into the back end. So, yes, it's perfect for the initial onset, proof of concept, developing ideas, use cases, and then it needs to, you know, turn over to your DevOps team. Yeah. Time for the big boys to join the table. Exactly. Exactly. Securely. There are so many things to unpack in that answer of yours, Dr. Byrd. Um mainly ### Software Supply Chain Vulnerabilities [5:07] so many companies, especially financial companies, we know that they have a very strict process of developing software. Because in the past, we have seen that if somebody uses any component or a library which is outdated with known vulnerabilities, they use that library to build a financial product which is now available to millions of users, they can exploit that existing vulnerability and cause a huge impact. So, what does the bank do? Bank says, "Hey, our security team has vetted and tested these seven libraries. Whatever software you want to develop, use these seven libraries only. " So, that way you have an assurance that at least in the supply chain level there are no risks. And whatever risks are there, it's only at the logic level, which we will continue to find out, test, and then fix. But then, when you start using wipe coding, you don't have control on those libraries. It can start using any libraries it wants, and then things go completely out of your control. Now, Dr. Byrd, it's quite possible some of our learners may be hearing the word Mythos for the first time. Can you give us a quick morning brief for Mythos? Well, Mythos is a LLM that has been ### Introduction to Anthropic's Mythos Model [6:21] developed by Anthropic. Uh they were in the news, I think April 7th was the actual release date or of the blog and the posting about what was happening. There were some concerns uh by the capabilities of the LLMs, right? And whether it's Mythos or GPT or any of them, right? Remember, they are continuing to evolve and mature in their capabilities and their speed. We're in this technology cycle where it is this uptick. Where the concerns were like was the ability to identify vulnerabilities, you know, at scale and speed. So, Anthropic did this uh public release saying that, "Hey," news release saying that we will not release it to the public. They engage anywhere from 25 to 50 uh critical organizations, primarily in that supply chain, like Microsoft, CrowdStrike, and some government agencies. The banking sector was involved, and they said, "Hey, we're going to create this project where we will test and evaluate code in an effort to reduce the attack surface, right? — Right. And improve, you know, security from that perspective. And that has spun a lot of conversations around uh you know, vulnerability management, you know, wipe coding and those type of things. So, you know, we're talking about those recommendations that we share in our courses, you know, it's important to understand your supply chain. Software, hardware supply chain risk management. We talk about understanding assets, right? What's in my enterprise? Asset management. — Right. Then tech modernization. When technology is outdated, whether software, hardware, it's taken offline, right? Appropriately. Cuz again, whether it's Mythos or any of the other LLM products, the AI products, the ability to identify vulnerabilities, gaps, and that exploitation there exists. So, we're seeing the speed in which we go from vulnerability management to the need to patch management to deployment. So, our goal is always about operational resilience, right? And that has So true. — enhanced with the release of Mythos and what's happening in the news. Yep. Yep. Uh three points I wanted to add that ### How AI Broke OpenBSD's Sandbox [8:49] one, what is it that really scared people because, oh my god, what is this great thing that's happening? So, OpenBSD is an open source operating system that has been tested so many times for more than 25 to 30 years. People did not find any vulnerabilities in that, any critical vulnerabilities in that. Now, um Claude was being deployed in a sandbox which was hosted in OpenBSD. This AI agent or this AI model was able to break out of that sandbox. It found a vulnerability in OpenBSD. I mean, that itself was the miracle moment for everyone. How did it find that vulnerability? It's such an old and reliable and robust software. So, it found the vulnerability, exploited, and it wanted to go even beyond. So, that's really what scared people. And um there was a meeting in the White House that was focusing in uh focusing on Mythos. Something similar happened in India as well, where the Indian ministries got together, and they alerted all the banks and the financial institutions to start testing for this. But then, Dr. Bird, what I see here is that in the future similar capabilities will keep getting developed. Today, it is Mythos by Anthropic or Claude, tomorrow it could be Deep Seek. It could be any other model which has some really dangerous capabilities. So, is there a need for a new model like a OWASP top 10 kind of a model where we can predict these kind of issues, and then be ready for those? I think so. I think uh you know, the uh existing models, threat modeling, you know, is efficient. It's a starting point, but something that you and I discussed uh as we were opening this session, I think is really worth ### Threat Modeling in the AI Era [10:48] discussing. When we're talking about the development of you know, software and hardware, that's where organizations will probably begin to use these models, right? For their internal testing and evaluation. So, you get a chance to increase the resiliency, right? Reduce that attack surfaces from the dis- inception, right? So, we talk about the technology life cycle, whether it's hardware or software, we're really trying to move to the inception of the, you know, software to make sure that we've mitigated any vulnerabilities before it's you know, embedded into hardware, software, it's distributed globally, then you know, you're behind the curve so to speak and you see these, you know, so what now kind of discussions, you know. Right. So then are you saying that we should integrate this in the DevOps model itself? So every time we build or push any new code, the mythos model is going to security test on that? Exactly. That's what we were saying, right? You've got to, you know, escalate those capabilities to your point, you know, you're finding these out dated uh vulnerabilities. Out dated in the sense that, you know, people humans have been looking and validating and uh the software and have not found it. But then, you know, we see again this vulnerability identification process happening, you know, at speed and at scale. So that's where the gap in the challenges are, you know. All right. So I think in the future we are looking at um more and more integration of these AI models in the DevSecOps environment. And uh if there is anybody who is a newbie in the ### Integrating AI into DevSecOps [12:35] software development field, then don't think that you have mastered software development because you created a software with white coding. You need You still need to know how the code works. Uh without that, you will be paralyzed. Yeah. Any closing thoughts for our viewers, Dr. Ward? I agree with you. You know, AI is just an amazing tool that has a lot of capabilities, but we can't forget the foundations, right? We tell our students this all the time. It gives you this false sense of knowledge, security and understanding, but what we don't understand, what newbies don't understand, is what's happening behind the scenes. Is it using, you know, software that has vulnerabilities? We just aren't quite sure. The black box approach, what's happening behind the scenes. Where again, when you articulate it, the approach that financial sector is using, the healthcare sector, you're evaluating code, these libraries, these APIs. They've been tested and evaluated. You know, what your foundation looks like before you get started in the DevOps process. That's so important. — Right. That's really important. Thank you so much, Dr. Byrd. Vibe coding is certainly ### Why Foundational Coding Skills Still Matter [13:54] an exciting domain. A tool that I have used in the past is emergent. emergent. sh. I would recommend our viewers to give it a try. It gives you some free credits as you join in. But then you know that no matter how good of a software you create with emergent, you are the one who should be in the back end knowing how it works. I hope all of you like this video of our new episode in the cyber podcast. We will be coming back with another discussion on another angle of cybersecurity and continue to learn. Thank you so much, Dr. Byrd, for being a part of this podcast and we'll meet again. Hey, thank you. And again, thank you, everyone, for joining us. Thank you. Bye. —