MOST AI Code Was INSECURE in Tests
Big thanks to ThreatLocker for sponsoring my trip to Black Hat 2025. To start your free trial with ThreatLocker please use the following link: https://www.threatlocker.com/davidbombal
AI is speeding up software development—but at a steep security cost. From Black Hat, Tanya Janca breaks down why most AI-generated code in her training use cases is insecure, what’s missing (input validation, hashing, safe DB calls), and how to fix it with secure SDLC, shift-left practices, and AI workflows that include RAG, policy prompts, automated checks, and reviews. She also shares lessons from Alice and Bob Learn Secure Coding, API/MCP pitfalls (like unauthenticated endpoints), and a “Minimal Viable Security” baseline so teams don’t ship risk by default. If you write, review, or attack
code, this will change how you use AI.
// Tanya Janca’s SOCIALS //
YouTube Channel: https://www.youtube.com/shehackspurple
Website: https://shehackspurple.ca/
LinkedIn: https://www.linkedin.com/in/tanya-janca/
X: https://x.com/shehackspurple
// Books REFERENCE //
Alice and Bob Learn Secure Coding by Tanya Janca:
US: https://amzn.to/4nr9XVv
UK: https://amzn.to/41GRyLV
Alice and Bob Learn Application Security by Tanya Janca
US: https://amzn.to/46forAM
UK: https://amzn.to/3VEMHqW
// Playlist REFERENCE //
https://www.youtube.com/watch?v=oyBvpVgaJlg&list=PLI9RITMnVbygNBCyomvbizyylaiU7F6Tg
https://www.youtube.com/watch?v=6OaYA5nuI4A&list=PLI9RITMnVbygrVQaGvpojIzgHTpkRrIn8
// David's SOCIAL //
Discord: https://discord.com/invite/usKSyzb
X: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/@davidbombal
Spotify: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud: https://soundcloud.com/davidbombal
Apple Podcast: https://podcasts.apple.com/us/podcast/david-bombal/id1466865532
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// Menu //
0:00 - Coming up
0:35 - Intro
01:23 - What Tanya’s new book covers
02:00 - Vibe Coding
03:11 - The Flaw’s with AI
04:28 - Start Up’s on Vibe Code
05:37 - Vibe Code is Bad Code 90% Of The Time
06:45 - Should A Client Put A Vibe Code online?
09:19 - AI Is like Pandora’s Box Its been let out now
10:35 - MCP Servers Without authentication
13:58 - API’s In Tanya’s Book
15:10 - Personal Data exposed
16:04 - Free training & book details
17:21 - Where to connect with Tanya
17:35 - Closing & thanks
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#vibecoding #threatlocker #blackhat
AI is speeding up software development—but at a steep security cost. From Black Hat, Tanya Janca breaks down why most AI-generated code in her training use cases is insecure, what’s missing (input validation, hashing, safe DB calls), and how to fix it with secure SDLC, shift-left practices, and AI workflows that include RAG, policy prompts, automated checks, and reviews. She also shares lessons from Alice and Bob Learn Secure Coding, API/MCP pitfalls (like unauthenticated endpoints), and a “Minimal Viable Security” baseline so teams don’t ship risk by default. If you write, review, or attack
code, this will change how you use AI.
// Tanya Janca’s SOCIALS //
YouTube Channel: https://www.youtube.com/shehackspurple
Website: https://shehackspurple.ca/
LinkedIn: https://www.linkedin.com/in/tanya-janca/
X: https://x.com/shehackspurple
// Books REFERENCE //
Alice and Bob Learn Secure Coding by Tanya Janca:
US: https://amzn.to/4nr9XVv
UK: https://amzn.to/41GRyLV
Alice and Bob Learn Application Security by Tanya Janca
US: https://amzn.to/46forAM
UK: https://amzn.to/3VEMHqW
// Playlist REFERENCE //
https://www.youtube.com/watch?v=oyBvpVgaJlg&list=PLI9RITMnVbygNBCyomvbizyylaiU7F6Tg
https://www.youtube.com/watch?v=6OaYA5nuI4A&list=PLI9RITMnVbygrVQaGvpojIzgHTpkRrIn8
// David's SOCIAL //
Discord: https://discord.com/invite/usKSyzb
X: https://www.twitter.com/davidbombal
Instagram: https://www.instagram.com/davidbombal
LinkedIn: https://www.linkedin.com/in/davidbombal
Facebook: https://www.facebook.com/davidbombal.co
TikTok: http://tiktok.com/@davidbombal
YouTube: https://www.youtube.com/@davidbombal
Spotify: https://open.spotify.com/show/3f6k6gERfuriI96efWWLQQ
SoundCloud: https://soundcloud.com/davidbombal
Apple Podcast: https://podcasts.apple.com/us/podcast/david-bombal/id1466865532
// MY STUFF //
https://www.amazon.com/shop/davidbombal
// SPONSORS //
Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com
// Menu //
0:00 - Coming up
0:35 - Intro
01:23 - What Tanya’s new book covers
02:00 - Vibe Coding
03:11 - The Flaw’s with AI
04:28 - Start Up’s on Vibe Code
05:37 - Vibe Code is Bad Code 90% Of The Time
06:45 - Should A Client Put A Vibe Code online?
09:19 - AI Is like Pandora’s Box Its been let out now
10:35 - MCP Servers Without authentication
13:58 - API’s In Tanya’s Book
15:10 - Personal Data exposed
16:04 - Free training & book details
17:21 - Where to connect with Tanya
17:35 - Closing & thanks
Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel!
Disclaimer: This video is for educational purposes only.
#vibecoding #threatlocker #blackhat
David Bombal
Want to learn about IT? Want to get ahead in your career? Well, this is the right place!
On this channel, I discuss Linux, Python, Ethical Hacking, Networking, CCNA, Virtualization and other IT related topics.
This YouTube channel has new videos upload...