Do you need help & advice with AI & Automation or Cybersecurity?
Recently, some pretty serious vulnerabilities popped up in NexJS and React. This got me thinking about how teams are using AI to generate software, sometimes called ‘vibe coding’. It’s easy to overlook the risks when you’re just trying to get things done quickly.
I decided to check my own "secure my emails" tool, which was built using AI. It looks at your email security and gives you a score. What it found was interesting: instead of using the standard Cloudflare libraries where the website is hosted, some libraries were hardcoded. This made the configuration unnecessarily complicated. More importantly, it flagged that some libraries were using pretty old versions. As it turns out, my site wasn’t vulnerable to the specific React issue because it was using an older version that didn’t have that particular problem. It’s a bit of a double-edged sword, isn’t it?
Key Takeaways
- AI Isn’t Always Right: AI can tell you code is secure when it’s not. Always double-check.
- Keep Libraries Updated: Old libraries are a common source of vulnerabilities.
- Experience Matters: Seasoned developers spot risks that AI might miss.
- Sanity Check AI Code: Have someone experienced review code generated by AI.
- Don’t Rely on Certifications Alone: Standards like ISO 27001 and Cyber Essentials don’t guarantee security.
The Danger of Outdated Libraries and Configurations
When you’re building websites, especially with newer tools like React and Next.js, it’s super important to keep your libraries up-to-date. The recent issues highlight how using older versions can leave your business exposed. It’s not just about having the latest features; it’s about security. Those vulnerabilities, like the ones found in React and Next.js, can be serious business risks.
Understanding Vulnerability Scores
We measure how risky a vulnerability is using scores like CVE and CVSS. A CVSS score of 10 is the highest, meaning it’s extremely risky. Traditional web designers with years of experience often recognise these threats instinctively. However, junior developers or those relying heavily on AI might not spot these dangers. They might just put code online without thinking about the potential consequences, which could lead to massive GDPR fines or other security breaches.
Why AI Can Be Misleading
AI tools are getting really good, but they aren’t perfect. They can happily tell you that your code is secure, even when it’s not. I’ve heard from two different web designers this month who thought they were taking cybersecurity seriously, only to find they had critical vulnerabilities on their web servers. It seems that even having certifications like ISO 27,0001 and Cyber Essentials doesn’t automatically mean you’re safe.
Advice for Business Leaders
So, what’s the takeaway for business leaders? Don’t just take AI’s word for it, or even a web designer’s word, as gospel. It’s vital to have someone experienced look over the work. They can sanity-check if the company is doing what they claim and if the code is actually secure. Just because something works doesn’t mean it’s safe. You could be facing a huge fine or a major security incident without even realising it.
