Measuring Security Drift in Iteratively Vibe-Coded Web Applications
Authors
Danielsen, Magnus Ensted ; Berge, Sebastian Skurseth
Term
4. semester
Education
Publication year
2026
Submitted on
2026-06-03
Pages
127
Abstract
This thesis examines whether iterative, prompt-driven AI development, often called vibe coding, leads to a gradual erosion of an application's security over time, a phenomenon known as security drift. A complete school management system was built step by step with increasing complexity. The experiment was repeated independently with four leading language models and three web technology stacks, producing 12 parallel variants. Each was assessed at every stage through manual penetration testing (specialists attempt to find weaknesses) and static analysis (automated code scanning). The results show security drift occurs consistently: early vulnerabilities persisted, new weaknesses accumulated at a near constant rate, and models sometimes removed existing protections while adding features. The recurring flaws clustered in design, authentication, and access control rather than in syntax. Choosing a secure-by-default framework shaped the outcome more than the choice of model, and static analysis largely missed the dominant design and authorization flaws. The study concludes that rigorous human security review is essential before deploying vibe-coded applications to production.
Dette speciale undersøger, om iterativ, promptstyret AI-udvikling, ofte kaldet vibe coding, får en applikations sikkerhed til gradvist at forringes over tid, et fænomen kendt som sikkerhedsdrift. Et komplet skoleadministrationssystem blev bygget trin for trin med stigende kompleksitet. Forsøget blev gennemført uafhængigt med fire førende sprogmodeller og tre webteknologistakke, hvilket gav 12 parallelle varianter. Hver variant blev vurderet ved hvert trin med manuel penetrationstest (eksperter forsøger at finde sårbarheder) og statisk analyse (automatiseret kodescanning). Resultaterne viser, at sikkerhedsdrift opstår konsekvent: tidlige sårbarheder blev hængende, nye svagheder kom til i et næsten konstant tempo, og modeller fjernede indimellem eksisterende beskyttelser, når der blev tilføjet funktioner. De tilbagevendende fejl lå primært i design, autentifikation og adgangskontrol frem for i syntaks. Valget af et rammeværk, der er sikkert som standard, påvirkede udfaldet mere end valget af model, og statisk analyse overså i vidt omfang de dominerende design- og autorisationsfejl. Konklusionen er, at grundig menneskelig sikkerhedsgennemgang er afgørende før udrulning af vibe-kodede applikationer i produktion.
[This apstract has been rewritten with the help of AI based on the project's original abstract]