Q&A
Building Secure Code Without Breaking the Flow
Q&A with Live! 360 Orlando speaker Alton Crossley explores "vibe coding security" and how to integrate security seamlessly into AI-assisted development workflows.
As generative AI tools like GitHub Copilot reshape the development landscape, a new approach called "vibe coding" is gaining traction. The practice keeps developers in a creative flow by delegating code creation and correctness checks to AI agents. For many teams, the challenge is ensuring that security practices keep pace without interrupting innovation or collaboration.
In this Q&A, Live! 360 speaker Alton Crossley outlines strategies for embedding security directly into AI-driven coding environments. He discusses how automation, maintainability and modern AppSec practices can help developers internalize secure coding principles without feeling burdened by traditional security processes. Crossley also addresses the cultural shifts required to promote psychological safety when handling security failures, emphasizing transparency, shared learning and adaptable security models.
Attendees of Crossley’s session, "Coding with Safe Vibes -- Making Copilot Write Securable Code," will learn how to apply security frameworks such as OWASP FIASSE and the SSEM to maintain both productivity and protection. The session will also highlight practical ways to balance speed-to-market pressures with secure design priorities, particularly for organizations experimenting with AI-assisted coding at scale.
This conversation offers a preview of the insights and actionable guidance Crossley will share in Orlando, aimed at helping development teams align business goals, security standards, and modern AI-assisted workflows.
Make your plans to join us in Orlando this November for Live! 360 to keep the conversation going.
Redmondmag: What does “Vibe Coding Security” mean, and how does it relate to developer culture?
Crossley: "Vibe Coding" exploded in popularity in January of 2025. It is the practice of creating and maintaining code using generative-agentic AI tools (like Copilot) instead of any direct manipulation of code. The advantage is staying in the creative flow instead being interrupted by technical detail. You "vibe" with the AI and let it focus on the correctness of the code. This is yet another emerging layer of how we tell computers what to do. For this reason, vibe coding security should be something that does not get in the way of your vibe coding flow. AI tooling should give you the right level of quality and security for your context. This takes a little preparation, and some leaning on security assurance.
How can teams build security habits without stifling innovation or creativity?
A major security strategy that opens space for innovation and creativity is automation. For a minimal up-front investment, aspiring developers could be rewarded with generated code that scores better in security tests than their own. They can then see how certain situations can be handled firsthand. Also, by understanding what software engineering activities and software attributes contribute to security, development can make sure to give the correct priority to those things. This prevents developers from needing to learn security's job to do their own. Again, this leaves space for innovation and creativity.
What tools or practices help developers internalize secure coding principles?
Until recently most of the security information for developers ignored software engineering as a discipline. On top of that CVE, CWE and vulnerability data was all but unintelligible to software engineers and not close to being practical. Good security training was often rebranded pentester training. It was easy to understand why developers didn't want anything to do with the security team. However, there is currently a fundamental change happening in the AppSec ecosystem where it concerns development. There are AppSec professionals that are acting with the intention to understand and align with the business goals of software engineering on a more foundational level. This break-away group is driving toward implanting security in such a synchronous way, development internalizes it like it was their own. OWASP FIASSE is a project that aims to capture this formula for everyone.
How do you foster psychological safety and openness around security failures?
In some environments when there are security failures, it is easy to fall into the trap of assigning blame. The way to avoid a culture that acts this way is by establishing patterns of transparency and accountability. This can be done early in the development process with a structured merge review process and an understanding of the desired attributes of code that result in a securable product. In addition, it is essential to understand that there is no static state of secure. So, when there are vulnerabilities found or even when a breach happens, the most beneficial thing to do is to adhere to the empirical development process so that the learning is a shared experience and not a bludgeoning to be endured by an individual. Using a security model like the SSEM (from OWASP FIASSE) that is tailored to software engineering can help the teams be clinical in these situations.
Can you provide examples of "vibe shifts" that improved security posture?
It doesn't matter if you are vibe coding, just using your Generative-Agentic assistant to chunk along, or even hand jamming a software engineering masterpiece, a minor shift in perspective can go a long way. If you and your LLM understand The Securable Principle and the attributes of the SSEM, you can "vibe" or "flow" your way to securable code. A specific example that is overlooked is the role of maintainability when it comes to security. If you or your code assistant can't analyze, modify or test the code, it is not securable. So, it helps to instruct your assistant to generate maintainable code, as well as keeping it trustworthy and reliable.
How do you balance speed, collaboration and secure design in modern dev teams?
Speed, collaboration and secure design are to be weighed against business need. It is common for security to forget that the business exists to do business and not just to be secure. This is really the pivot point around which everything revolves and is different for every business. Often younger businesses have a higher risk tolerance and benefit more from being first to market. These businesses need to balance this need for speed with the nature of the data and operations the software product handles. Smaller iterations may seem counter-intuitive to security. AppSec adapting to such a situation could be a differentiator for a business. There is certainly no on-size-fits-all when it comes to AppSec.