“We can't just ask the agent to 'make this secure.' It won't work because 'secure' is too vague for an LLM. We should...
“We can't just ask the agent to 'make this secure.' It won't work because 'secure' is too vague for an LLM. We should instead use spec-driven development, where we can have pre-defined security policies and requirements that the agent must satisfy before writing any code. This can include but is not limited to: no public database access, writing unit tests for each added feature, sanitize user input, and no hardcoded API keys. A good starting point is grounding these policies in the OWASP Top 10, the industry-standard list of the most critical web security risks.”
https://towardsdatascience.com/the-reality-of-vibe-coding-ai-agents-and-the-security-debt-crisis/