Your developers are the attack surface now and vibe coding as a vulnerability | Tanya Janca
Microsoft’s wandering eyes, data labeling duties for senior devs at Meta, and prod is the new source code
Developers are like water: if you make your security protocols too difficult, they will find a way to flow right around them. This week on Dev Interrupted, bestselling author and OWASP Top 10 Project Leader Tanya Janca returns to unpack why vibe coding has officially made the list of the most critical security risks in software development. Tanya breaks down the psychology of bad code, explains why the modern software engineer has become the primary attack surface, and shares actionable strategies for shifting security left directly into your AI prompts. Finally, she provides practical, behavioral solutions for building a golden path that makes secure coding the easy choice for your engineering team.
1. The dismantling of Meta’s engineering culture
Meta is undergoing a radical restructuring that abandons many of the fundamentals that built the company in the first place. According to The Pragmatic Engineer, Meta has implemented mandatory keystroke tracking and reassigned 30 to 50 percent of their engineers on core teams to data labeling. That equates to roughly 4,500 to 6,500 highly technical employees pulled off core teams just to tell an AI if it is doing a good job, alongside a recent 10 percent workforce reduction. Ripping apart critical infrastructure and security teams in an anxious rush to justify AI expenditures is a dangerous pivot, and I think the AI psychosis label is pretty fitting here.
Read: Why is Meta destroying its engineering organization?
2. Raising the bar for engineering discipline
Charity Majors argues that as AI generated code approaches median software engineer quality, the need for rigorous discipline actually increases. The economics of code production completely flipped this year. Since generating code is now incredibly cheap, the real value humans provide is maintaining a shared understanding of good software architecture. Non-deterministic AI systems demand even higher quality gates than traditional human code, meaning your observability practices and tight production feedback loops are more critical than ever.
Read: AI demands more engineering discipline. Not less
3. The rise of domain specific open weights
Long horizon coding tasks are the new frontier for agentic workflows, and an open source model from China just made a massive splash in that arena. Z.ai released GLM-5.2 under an MIT license, and it is actively beating GPT-5.5 on long running benchmarks for a fraction of the cost. We are quickly moving toward a fragmented future where highly specialized, domain specific models outperform generalized tools. Having the ability to run and fine tune these open weight models locally gives your team incredible power to escape astronomical inference bills.
4. Microsoft’s search for cheaper inference
The pressure of climbing API costs is forcing even the biggest players to reconsider their foundational strategies. Microsoft is reportedly considering self-hosting DeepSeek to power Copilot as a lower cost alternative to their historically deep partnership with OpenAI. While it is unclear how the US government will react to a major enterprise utilizing a Chinese model for sensitive proprietary data, it proves that the search for cheaper, more efficient model routing is currently a top priority for everyone in the industry.
Read: Microsoft Mulls China’s DeepSeek for Copilot, Probably to Trump’s Chagrin
5. Life beyond tokenmaxxing
Your team is generating more code than ever before, but is your delivery actually getting faster? When AI speeds up code generation, it often shifts bottlenecks downstream to review and deployment, leaving your system lopsided.
Stop relying on code volume metrics and falling into the tokenmaxxing trap. Join Ben and I for a 45-minute workshop on June 25 to discover how to measure AI’s real impact across the SDLC. You will get the exact operational model you need to answer board-level ROI questions, plus first access to our new guide on measuring AI efficiency.
6. The federal crackdown on Fable 5
I used every token of Fable that was available to me right up until it was abruptly taken away. Just as we were getting used to its massive orchestration capabilities, the US government ordered Anthropic to immediately disable access over national security concerns regarding an alleged jailbreak. While Anthropic claims the issue is narrow and exists in other widely deployed models, rumors suggest an AWS research team reported the vulnerability. Regardless of the exact politics, this rapid shutdown is a harsh reminder of the instability we face when relying entirely on proprietary frontier models to run our critical workflows.
Read: Kayfable
7. The persistent return to expertise
Anthropic recently analyzed 400,000 Claude Code sessions and uncovered a fascinating division of labor within modern agentic coding. Humans are currently making over 70 percent of the planning decisions, while the model handles over 80 percent of the pure execution. My co-host Ben Lloyd Pearson correctly noted that practitioners with strong domain understanding get roughly five times the output from their models compared to complete novices. As the complexity of our work shifts from simple bug fixes to deployment and data analysis, the true bottleneck is no longer coding skill, but deep domain expertise.
Read: Agentic coding and persistent returns to expertise
