🔐 Security Debt

Characteristics

• User inputs are directly concatenated into queries or commands (SQLi, XSS vectors).
• Authentication and authorization logic is "hallucinated" or simplified.
• Sensitive data (PII) is handled without encryption or proper consent.
• API keys, secrets, or internal paths are hardcoded in AI-generated snippets.
• Use of outdated or vulnerable libraries proposed by AI training data.

The Reality: The Confidence-Quality Gap

The most dangerous aspect of Security Debt is that developers feel more secure while using AI assistants, even though the resulting code is objectively less secure than human-written alternatives.

Examples

1. The Naive Parser

An AI assistant generates a "simple" CSV parser that doesn't handle malicious input, leading to a Buffer Overflow or Denial of Service vulnerability.

2. JWT Hallucinations

AI implements a JWT token check but "forgets" to verify the signature or uses a default, hardcoded secret.

3. PII Blindspots

AI generates analytics tracking code that accidentally sends user email addresses and search history to a third-party vendor without encryption (GDPR violation).

Remediation Strategies

1. Security-First Prompting: Explicitly include security constraints in every prompt (e.g., "must use prepared statements").
2. Automated Security Scanning: Integrate tools like Snyk or GitHub Advanced Security to scan all AI PRs.
3. Manual Expert Review: All authentication, encryption, and data-handling logic must be reviewed by a human expert.
4. Input Validation Framework: Implement a centralized validation layer that AI code must use.

Related Vibe-Code Smells

• Smell #13: Circular Testing
• Smell #14: Silent Failure
• Smell #15: Ethical Blindspot

Book Reference

Security Debt is a critical focus in:

• Primary: Chapter 1, Chapter 6, Chapter 10.
• Remediation: Chapter 14, Chapter 18 (The Manifesto).
• Appendix A: Full debt catalog.