{"id":5695,"date":"2025-09-15T10:57:12","date_gmt":"2025-09-15T14:57:12","guid":{"rendered":"https:\/\/risingtidesecurity.com\/?p=5695"},"modified":"2025-09-15T10:57:12","modified_gmt":"2025-09-15T14:57:12","slug":"subprime-code-how-vibe-coding-could-trigger-the-next-great-crash","status":"publish","type":"post","link":"https:\/\/risingtidesecurity.com\/?p=5695","title":{"rendered":"\u201cSubprime Code\u201d: How Vibe Coding Could Trigger the Next Great Crash"},"content":{"rendered":"\n<p>There\u2019s something about AI-assisted coding, or \u201c<em>vibe coding\u201d<\/em>, that feels eerily familiar. Not familiar in the cozy, \u201cgrandma\u2019s kitchen\u201d sense, but familiar like the \u201c<em>oh dear God, haven\u2019t we lived through this before?\u201d<\/em> way. As someone who has spent 25 years in cybersecurity, but also lived through the heady days of financial services leading up to the 2008 crash, I can\u2019t shake the d\u00e9j\u00e0 vu, but I couldn\u2019t find the word to describe it.<\/p>\n\n\n\n<p>Rewind 18 years. Fintechs were booming, balance sheets were exploding, and the market believed in infinite growth because, well, why not? When Bear Stearns collapsed in March 2008, the financial world shrugged and said, \u201cThat\u2019s weird, but it\u2019ll buff out.\u201d Then Lehman Brothers imploded in September, and suddenly it wasn\u2019t fine. Cue <em>The Big Short<\/em>, a Michael Lewis book (and later a hit movie) that let everyone claim they totally understood what Collateralized Debt Obligations (CDOs) and Credit Default Swaps (CDSs) were.<\/p>\n\n\n\n<p>This summer, I attended Stacey Schreft\u2019s talk at B-Sides Las Vegas comparing the 2008 crisis to cybersecurity. She aptly pointed out that the 2008 financial crisis was caused by a number of factors, and one of them was \u201cLeverage\u201d.&nbsp; That\u2019s the word I had been fumbling for! AI-assisted coding is doing exactly that: it is creating massive leverage for half-baked designs to sprint into production, and it democratizes a skill that often requires nuanced knowledge. And if history is any guide, we may be on the brink of a subprime coding crisis.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Subprime Code and the Illusion of Velocity<\/strong><\/h2>\n\n\n\n<p>Let\u2019s start with the obvious: there\u2019s been an explosion of AI tools that promise to help you code faster: Claude Code, Cursor, Replit, GitHub Copilot, ChatGPT plugins, take your pick. With a keystroke, anyone can generate scaffolding, build APIs, or even deploy entire web or mobile apps. Idea-to-Build-to-Deploy-to-Prod pipelines have never been so frictionless.<\/p>\n\n\n\n<p>And therein lies the leverage. We\u2019ve handed the keys to developers, regardless of skill or experience level, who can now ship \u201cworking\u201d software without really understanding what\u2019s under the hood. Just like banks in 2006 handing out no-documentation loans \u2014 \u201cyou want a $500,000 mortgage with no job, no income, and no clue? Approved!\u201d<\/p>\n\n\n\n<p>Velocity is intoxicating. But velocity without guardrails is risky, like a centrifuge spinning out of control. We\u2019ve already seen it: junior developers proudly demoing AI-generated apps that \u201cjust work\u201d until you actually press a few buttons and the thing catches fire. Blue skies today, storm clouds tomorrow.<\/p>\n\n\n\n<p>The financial world had its subprime mortgages bundled into AAA-rated instruments called CDOs. In tech, we\u2019re stuffing subprime code into environments that may also host mission-critical, well-architected systems. And just like those mortgage bundles, the toxic parts don\u2019t stay hidden forever. Eventually, they overwhelm the system.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Disappearance of the Experts<\/strong><\/h2>\n\n\n\n<p>Here\u2019s the kicker: the people who actually know how to build resilient systems (the software equivalent of conservative bankers) are increasingly being sidelined.<\/p>\n\n\n\n<p>Experts understand full lifecycles: design, build, test, deploy, maintain, decommission. They know how to architect for failure, manage dependencies, and measure resilience. But in the vibe coding world, those experts can be seen as expensive bottlenecks. \u201cWhy waste time on design reviews when Copilot can churn out a module in 30 seconds?\u201d<\/p>\n\n\n\n<p>Sound familiar? It should. During the mortgage boom, traditional bankers who insisted on things like income verification were laughed out of the room. Why check pay stubs when the market is only going up?<\/p>\n\n\n\n<p>Subprime code is like the adjustable-rate mortgage of software. Cheap and shiny at first, a maintenance nightmare later. Return on investment looks fantastic on day one: \u201cLook, we shipped in record time!\u201d but the total cost of ownership lurks like a balloon payment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Tech Debt Interest Rates Rise<\/strong><\/h2>\n\n\n\n<p>Ask any seasoned engineer: all software atrophies. Bugs accumulate. Dependencies rot. Vulnerabilities creep in. Without care and feeding, systems degrade. Historically, experts have played the roles of janitor, custodian, and responsible borrower, patching, refactoring, and paying down the interest on tech debt.<\/p>\n\n\n\n<p>But AI-assisted coding doesn\u2019t do maintenance. It doesn\u2019t monitor environments. It doesn\u2019t patch quietly at 2 a.m. It just creates more code. And more code equals more surface area for entropy.<\/p>\n\n\n\n<p>As technical debt mounts, the \u201cinterest rate\u201d rises. Minor bugs turn into cascading failures. Vulnerabilities become attack vectors. Suddenly, those quick wins cost exponentially more to sustain. Just like mortgage defaults snowballed when interest rates reset, defaults in vibe-coded systems will come when organizations can\u2019t keep up with the compounding debt.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>The Crash<\/strong><\/h2>\n\n\n\n<p>At first, everything will look fine. Systems will hum, dashboards will glow green, and product managers will beam about how fast they\u2019re shipping.<\/p>\n\n\n\n<p>Then entropy kicks in. Fragility multiplies. That vibe-coded feature you deployed last year? It now breaks every time a library updates. The chatbot you shipped to production? It leaks data under certain inputs. The infrastructure-as-code templates your intern pasted in? They left the equivalent of the front door wide open.<\/p>\n\n\n\n<p>When enough of these brittle systems stack together, the crash comes. Not necessarily one big bang (though don\u2019t rule it out), but more likely a rolling crisis. Outages become more frequent, breaches more severe, and recovery becomes slower. Organizations without experts to bail water will drown in their own subprime code.<\/p>\n\n\n\n<p>The severity of the crash may depend on the ratio of subprime code to prime code, and whether experts have been retained as the last line of defense. Unfortunately, the current trajectory doesn\u2019t inspire confidence, and those experts will likely burn out fighting the fire.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Avoiding the Subprime Code Bubble Burst<\/strong><\/h2>\n\n\n\n<p>So, where do we go from here? Pretending vibe coding doesn\u2019t exist isn\u2019t an option. The genie is out of the bottle, and frankly, there\u2019s enormous potential if we wield it wisely. But just as regulators eventually reined in no-doc loans (a bit too late, admittedly), we need discipline in software development before the crash comes.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>PoC \/ R&amp;D is not Production Grade. <\/strong>Develop and experiment with intentionality but plan on doing significant engineering work once that is done to make it production grade.\u00a0 Don\u2019t let the intoxication of velocity make you forget how to make things resilient and great.<br><\/li>\n\n\n\n<li><strong>Architect for resilience, not just features.<\/strong> Build failure modes into the design, not as an afterthought.<br><\/li>\n\n\n\n<li><strong>Retain and empower experts.<\/strong> They\u2019re not relics of a bygone era; they\u2019re the guardrails that keep velocity from turning into a crash.<br><\/li>\n\n\n\n<li><strong>Don\u2019t forget to train the next generation.<\/strong> While they can build quickly because they don\u2019t know what dangers lurk in prod, they also need to learn how to build well.<br><\/li>\n\n\n\n<li><strong>Test like you mean it.<\/strong> Automated frameworks that validate resilience are as critical as the code itself.<br><\/li>\n\n\n\n<li><strong>Plan for maintenance up front.<\/strong> If your AI-generated module doesn\u2019t come with a maintenance strategy, then it\u2019s not an asset; it\u2019s a liability.\u00a0 Don\u2019t focus solely on ROI, but also consider TCO.<br><\/li>\n<\/ol>\n\n\n\n<p>The temptation will always be to hand AI tools to non-experts and let them sprint. It\u2019s cheaper. It\u2019s faster. It feels like growth. But without expertise, architecture, and discipline, it\u2019s just leverage, and leverage cuts both ways, and it cuts deeper over time.<\/p>\n\n\n\n<p>The 2008 crisis taught us that bubbles don\u2019t last forever, and crashes are far more expensive than resilience. Today, vibe coding gives us incredible speed, but it also risks burying us in a mountain of subprime code. The only question is whether we learn from history or end up explaining to our kids, 10 years from now, why <em>The Big Short 2: Code Harder<\/em> is topping Netflix.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There\u2019s something about AI-assisted coding, or \u201cvibe coding\u201d, that feels eerily familiar. Not familiar in the cozy, \u201cgrandma\u2019s kitchen\u201d sense, but familiar like the \u201coh dear God, haven\u2019t we lived through this before?\u201d way. As someone who has spent 25 &hellip; <a href=\"https:\/\/risingtidesecurity.com\/?p=5695\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-5695","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=\/wp\/v2\/posts\/5695","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5695"}],"version-history":[{"count":1,"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=\/wp\/v2\/posts\/5695\/revisions"}],"predecessor-version":[{"id":5697,"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=\/wp\/v2\/posts\/5695\/revisions\/5697"}],"wp:attachment":[{"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5695"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5695"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/risingtidesecurity.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5695"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}