I can't code, but Claude can...
This post comes to you with the following bits of code written for a repository of security tools that we use in house:
- A Python library to run Luhn checks.
- A Rust application that analyses the cipher suites of web endpoints, and can also check on the presence of HSTS headers and examine other web app headers for security flaws, as well as analysing the security of X509 certificates and their chains.
- An Nmap extension that switches out the alphabetical cipher suite security rating for one of EXCELLENT, GOOD, AVERAGE, BAD or BROKEN with a reasoning for the rating.
- An Nmap extension that takes a list of documented ports for compliance purposes, which it marks as ACCEPTED when found, marking all other exposed ports as suspicious with rationales as to how to remedy these findings.
- An OCSP analysis application in Python that provides comprehensive OCSP checks, with a reduced functionality cert-info command to print basic information about an X509 certificate, which also has the ability to reference a certificate online, or parse one from a file directive.
I've spent a considerable amount of time turning my nose up at vibe coding, but am starting to come around to the concept. While I'd never release production-grade code using this method, I think that there is scope for it in what I am trying to achieve.
As a small infosec team buried under a raft of legislation, topped up by various command and control compliance frameworks, sprinkled with a healthy dose of customer paranoia (laughing at all of them who went for a ball of shit when us-east-1 went down this week!), there isn't much time to spend coding. Considering that the tools I use are pretty much extensions on the concepts implemented by the likes of nmap, openssl, wireshark et al, just with more emojis and prettier formatting, I'm not writing tools that I will rely on exclusively. I can always go back to the original applications if something goes pear shaped. The tools I have created aim to be more approachable, both for myself, who understands the problem domain and can prompt CoPilot into creating the code I want to work the way I need, but approachable for my colleagues, who can use this code to self-serve some queries from time to time. Plus, I love nothing more than nice apps that drawn pretty lines in iTerm2.
As it stands, vibe coding is working for me. I have created thousands of lines of code, all fully backed by test suites, with comprehensive documentation, over the course of five days. Maybe vibe coding is how power users who cannot program can create the applications that they want or extend on tools that they already use without having to learn half a dozen languages.