The modern market demands very quick decisions and adaptation to changing market conditions from companies to maintain a competitive edge. The speed of production implementation of ideas that can generate revenue will increase, especially during an economic slowdown, when growth in results is more difficult to achieve than before. In this context, the growing popularity of no-code, low-code, or vibe coding should come as no surprise. no-code, low-code or vibe coding.
What is no-code coding?
No-code or low-code involves the use of technology by individuals who cannot program or have only a basic understanding of programming. These individuals create applications using platforms that, based on visual interfaces, ready-made components, and "drag and drop" logic, allow for the creation of working solutions. Vibe coding goes even further, as it is based on increasing automation and, ultimately, the elimination of human work in this process through the use of dedicated "programming" AI. This approach has as many supporters as opponents, but as always, the result of assessment of advantages and threats ultimately "depends." What are its practical advantages and disadvantages?
The potential benefits of "vibe coding" for business undeniably include:
- faster solution deployment: the ability to independently create a working application significantly shortens the time needed to develop and implement a new solution; thanks to the ease of use and availability of ready-made components, companies can react faster to market needs and implement innovative solutions more quickly,
- independence from external vendors: minimizing the risk of being "stuck" with a specific technology used by a software vendor, and the ability to independently develop applications,
- cost reduction: expenses for the full application development cycle – design, testing, debugging, and production – are a significant item in the budgets of not only large corporations,
- engagement of individuals with the best knowledge of operational processes: better understanding of business needs and the creation of more tailored solutions faster, without the need to translate "business" ideas into programming language, and greater employee involvement in implementation.
The risks and challenges associated with "vibe coding" can be summarized as:
- functionality limitations: ready-made solutions are inherently not personalized, so they may offer limited functionality compared to traditional programming. They may not be able to handle complex business logic, non-standard integrations, or specific technical requirements,
- scalability and performance issues: applications created without going through the full software development cycle may surprise developers with performance bottlenecks when the workload increases as the scale of the processes implemented in them grows. This will require analysis of system needs "post factum" (which may duplicate work compared to the standard path),
- difficulties in maintenance and development: modifying and developing applications without access to the source code and without knowledge of the full system architecture, limitations on debugging capabilities, and a lack of understanding of the impact of system software updates (and other "back-end" components) can be difficult,
- dependence on the platform used: despite similarities related to the solutions used, platforms providing environments for vibe coding differ from each other, which can cause difficulties in migrating to another environment without technical support,
- security concerns: the lack of adequate knowledge and experience related to design can lead to vulnerabilities in the application that allow unauthorized access to data and are not detected by the creator; the risk is even greater the more the application is to be integrated with other company systems, especially regarding data encryption and access management,
- the problem of liability for code vulnerabilities: Employees have limited liability resulting from labor law regulations, while individuals on B2B contracts may not have clearly defined liability, which will be a problem especially in the absence of procedures regarding the use of AI in the company (you can read more here).
The key issue is what we want to automate
The decisive factor in assessing whether the benefits of vibe coding outweigh the risks is the nature of the processes to be automated using self-created applications. The required functionalities, the expected scalability of the solution, and its lifecycle are also important.
Particular attention should be paid to data security issues. Will the created solution have access to company databases? If so, it becomes crucial to consider the risk of disclosing confidential information that may be subject to specific regulations or accidental data deletion from servers. Will the application process customer or contractor data? In this case, it is necessary to ensure compliance with personal data protection regulations (GDPR) and privacy requirements. It should also be considered whether the application will analyze data that could classify it as a high-risk AI system (e.g., data on health, finance, or user behavior).
What does this mean for business? Solutions related to self-creating applications should not be left in the realm of unspoken assumptions. Many Polish companies are aware that their employees are independently using AI-based improvements. They don't explicitly forbid their use, but they also don't specify what employees should pay attention to when deciding on these improvements. In practice, regulating these issues doesn't have to be cumbersome or expensive at all.
National Cybersecurity System (KSC) entities do not have the full freedom to use vibe coding
Analiza kodu źródłowego i opracowanie dokumentacji systemu odgrywają kluczową rolę w zapewnieniu bezpieczeństwa informacji zgodnie z normą ISO/IEC 27001. W załączniku A tej normy jest kilka punktów, które określają zabezpieczenia w tych obszarach. Co to oznacza?
Without support from the platform provider who performs and provides an analysis of the code of the solutions used, it will be difficult to ensure compliance with this standard. Additionally, reducing the stages of software development by eliminating architecture design and security testing is inconsistent with secure programming requirements. Appropriate entries can of course be included in the system documentation or the security measure can be excluded, but this means accepting the risk associated with such a situation, which will become a residual risk. This has significant consequences for the cybersecurity posture of an organization that takes such a step. Risk in the name of progress and the pursuit of even faster development.
If you want to see a summary of business risks from a legal perspective, I invite you to read the article on LiknedIn and follow our upcoming publications, where content regarding the risks and requirements arising from regulations governing the creation of artificial intelligence will also appear.
