Securing the Vibe: Tanya Janca on AI-Generated Code, Mythos, and the New AppSec Reality

The 2026 AppSec landscape is dominated by what Tanya Janca calls "vibe coding"—AI systems that generate entire applications with little to no human oversight. This practice bypasses traditional code reviews, leaving hidden vulnerabilities that even seasoned security teams struggle to detect. As organizations adopt AI assistants like GitHub Copilot at scale, the false sense of security around "human in the loop" becomes a dangerous myth, prompting a surge in incidents where unchecked AI‑written code reaches production unchanged.

The OWASP Top 10’s 2025 revision reflects these shifts, expanding from ten to thirteen items. New categories such as software supply chain failures, mishandling of exceptional conditions, memory‑management bugs, and an explicit "vibe coding" entry highlight the community’s recognition that threats now stem from both code components and the people who write them. By folding SSRF into broken access control and elevating security misconfiguration, the list underscores persistent weaknesses while signaling that supply‑chain hygiene and robust error handling are now critical success factors for any development effort.

These trends expose a glaring gap in vendor offerings: most tools excel at scanning for outdated libraries but fall short of protecting developer workstations, CI pipelines, and the human element of security. Legacy DevSecOps solutions generate massive backlogs and false positives, eroding trust and overwhelming scarce AppSec resources. Janca advocates a paradigm shift—embedding security directly into AI models and re‑architecting AppSec programs to prioritize proactive, AI‑aware controls rather than reactive scanning. Organizations that adopt this forward‑looking approach will reduce toil, improve resilience, and stay ahead of attackers targeting developers themselves.