The State of Vibe Coding: English as the New Code

Editor’s Note: Hi Webrack readers, Mantaneng here. Managing our portfolio of websites and working on custom mobile apps has shown me exactly how fast our tech stack is evolving. But the recent explosion of “vibe coding” isn’t just a new framework—it’s a complete shift in who gets to build software. We recently reviewed a comprehensive report on the State of Vibe Coding, and I wanted to break down what it means for our local South African ecosystem. Let’s dive in.

What is Vibe Coding?

Earlier in 2025, Andrej Karpathy (co-founder of OpenAI) coined the term “vibe coding”. He described it as an AI-led coding experience where you “fully give in to the vibes, embrace exponentials, and forget that the code even exists”.

Because of this shift, English is becoming the world’s most powerful programming language. The adoption metrics are staggering: currently, 92% of U.S. developers use AI coding tools every day according to Stack Overflow’s 2025 Developer Survey. The market is responding just as aggressively, with vibe coding tools like Cursor, v0, and Lovable hitting $100M+ in annual recurring revenue (ARR) in just months.

Even tech industry titans are embracing the trend—Sundar Pichai has spent his spare time building webpages with bare-minimum coding, and Larry Page has been building with tools like v0.

Traditional Coding vs Vibe Coding

// Traditional Coding: Manual implementation
// Building a user authentication system the old way

import bcrypt from 'bcrypt';
import jwt from 'jsonwebtoken';
import { PrismaClient } from '@prisma/client';

const prisma = new PrismaClient();

interface RegisterRequest {
  email: string;
  password: string;
  name: string;
}

async function registerUser(data: RegisterRequest) {
  // Validate email format
  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
  if (!emailRegex.test(data.email)) {
    throw new Error('Invalid email format');
  }

  // Check if user exists
  const existingUser = await prisma.user.findUnique({
    where: { email: data.email }
  });
  
  if (existingUser) {
    throw new Error('User already exists');
  }

  // Hash password
  const saltRounds = 10;
  const hashedPassword = await bcrypt.hash(data.password, saltRounds);

  // Create user
  const user = await prisma.user.create({
    data: {
      email: data.email,
      name: data.name,
      password: hashedPassword,
    }
  });

  // Generate JWT token
  const token = jwt.sign(
    { userId: user.id, email: user.email },
    process.env.JWT_SECRET!,
    { expiresIn: '7d' }
  );

  return { user, token };
}

// Hours of work: 2-4 hours (including testing, edge cases, security review)

# Vibe Coding: Natural language prompt
# Same authentication system with AI assistance

Prompt to AI: "Create a user registration API endpoint with:
- Email validation
- Password hashing with bcrypt
- Duplicate email check
- JWT token generation
- TypeScript types
- Prisma ORM integration
- Error handling for all edge cases"

# AI generates complete, production-ready code in 30 seconds
# Developer reviews, tweaks, deploys
# Time: 5-10 minutes

The difference is stark. What once took hours of Stack Overflow searching, documentation reading, and debugging now takes minutes of natural language instruction.

The Great Flattening: Democratizing Tech in South Africa

The traditional development model is shifting rapidly. Today, AI-powered teams of under 10 people now do what once took 100 engineers.

For the South African context, this is a massive game-changer. We face a well-documented technical skills shortage, making it incredibly expensive for local startups and SMEs to hire dedicated development teams. According to OfferZen’s 2025 State of the SA Developer Nation Report, the average mid-level developer salary in Johannesburg is R75,000-R95,000 per month—a prohibitive cost for bootstrapped startups.

Real-World SA Use Cases

// Example: Cape Town tourism startup
// Before: Needed R2M+ funding to build MVP with dev team
// After: Founder built prototype in 2 weeks using v0 and Cursor

// Prompt: "Build a booking system for township tours with:
// - Stripe payment integration
// - WhatsApp notifications via Twilio
// - Multi-language support (English, Xhosa, Zulu, Afrikaans)
// - Mobile-first responsive design
// - Admin dashboard for tour operators"

// AI generates:
// Next.js frontend with Tailwind CSS
// Supabase backend with real-time updates
// Payment processing with error handling
// SMS/WhatsApp integration
// i18n localization
// Admin dashboard with analytics

// Total cost: R5,000 (AI subscriptions + hosting)
// Time to MVP: 2 weeks
// Savings: R1.95M+ and 6 months

Vibe coding democratizes creation, empowering entrepreneurs and marketing teams to spin up applications instantly. A Johannesburg-based e-commerce store manager can now build their own inventory management tool without touching JavaScript. A Pretoria NGO coordinator can create a donor tracking system over a weekend.

However, there is a clear divide in where this technology is most effective:

Vibe Coding Sweet Spot:

• Prototyping and MVPs
• Internal business tools
• Marketing websites and landing pages
• CRUD applications and dashboards
• API integrations and automation scripts

Traditional Coding Still Required:

• Banking and fintech core systems
• Healthcare patient management systems
• High-frequency trading platforms
• Autonomous vehicle software
• Large-scale enterprise applications (SAP, Oracle level)

The Dark Side: Security and POPIA Risks

While the speed of vibe coding is incredible, it bypasses the traditional quality assurance guardrails that experienced engineers rely on. South African tech leaders and institutions, including researchers at Wits University, have recently warned that blind reliance on AI-generated code introduces severe risks—especially in heavily regulated industries like finance and healthcare.

Common AI-Generated Vulnerabilities

// DANGEROUS: AI-generated code without security review
// Example: SQL injection vulnerability

import { sql } from '@vercel/postgres';

// AI might generate this naive implementation
async function getUserByEmail(email: string) {
  const query = `SELECT * FROM users WHERE email = '${email}'`;
  const result = await sql.query(query);
  return result.rows[0];
}

// Attacker input: "admin@example.com' OR '1'='1"
// Result: Returns ALL users from database (SQL injection)

// POPIA Violation: Exposed all user data
// Financial Loss: R10M+ potential fine

// SECURE: Proper implementation with parameterized queries

import { sql } from '@vercel/postgres';

async function getUserByEmail(email: string) {
  // Input validation
  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
  if (!emailRegex.test(email)) {
    throw new Error('Invalid email format');
  }

  // Parameterized query prevents SQL injection
  const result = await sql`
    SELECT id, email, name, created_at 
    FROM users 
    WHERE email = ${email}
  `;
  
  return result.rows[0];
}

// POPIA Compliant: Only queries necessary fields
// Secure: Parameterized queries prevent injection
// Validated: Input sanitization before query

AI models can sometimes generate vulnerable code, leading to:

• SQL/NoSQL injection flaws (like the example above)
• Cross-Site Scripting (XSS) vulnerabilities
• Insecure API endpoints without authentication
• Misconfigured cloud firewalls exposing databases publicly
• Hardcoded credentials committed to GitHub

POPIA Compliance Requirements

In South Africa, deploying insecure code isn’t just a technical glitch; it’s a legal liability. The Protection of Personal Information Act (POPIA) demands strict safeguarding of user data.

Key POPIA requirements often violated by unreviewed AI code:

// POPIA Section 19: Security Safeguards
interface POPIACompliantSystem {
  dataEncryption: 'AES-256' | 'ChaCha20';        // Required
  accessControl: 'Role-Based' | 'Attribute-Based'; // Required
  auditLogging: boolean;                          // Required
  dataMinimization: boolean;                      // Required
  rightToErasure: boolean;                        // Required
  dataRetention: {
    maxDays: number;                             // Must be defined
    automaticDeletion: boolean;                  // Required
  };
}

// AI-generated code often misses these requirements
// Example: AI might store user data indefinitely without deletion logic

Furthermore, with South Africa’s Draft National AI Policy entering its public consultation phase in March 2026, organizations will face even stricter expectations around:

• Responsible AI usage and transparency
• Algorithmic accountability and bias testing
• Data governance frameworks
• AI impact assessments for high-risk applications

If an AI tool inadvertently leaves a database publicly accessible (a common mistake in AI-generated Supabase or Firebase configurations), the business—not the AI platform—will be held legally liable for the breach.

Potential POPIA penalties:

• Up to R10 million in fines
• Criminal charges for executives (up to 10 years imprisonment)
• Reputational damage in regulated industries
• Class action lawsuits from affected customers

Building the Right Guardrails

We can’t put the vibe coding genie back in the bottle. By the late 2020s, vibe coding will simply be how development tools work—rather than a separate feature to consider. AI-assisted code will become as routine as syntax highlighting, used universally without fanfare.

Enterprise-Grade Security Checklist

#!/bin/bash
# Post-AI-Generation Security Review Script

echo "🔍 Running security audit on AI-generated code..."

# 1. Check for hardcoded secrets
echo "Scanning for credentials..."
gitleaks detect --source . --verbose

# 2. Run static analysis
echo "Running static security analysis..."
semgrep --config=auto --json --output=semgrep-results.json

# 3. Check dependencies for vulnerabilities
echo "Auditing npm dependencies..."
npm audit --audit-level=high

# 4. Test for SQL injection
echo "Testing database queries..."
sqlmap -u "http://localhost:3000/api/*" --batch --crawl=2

# 5. Verify POPIA compliance
echo "Checking POPIA compliance..."
# - Data encryption: Yes/No
# - Access controls: Yes/No
# - Audit logging: Yes/No
# - Data minimization: Yes/No
# - Retention policies: Yes/No

echo "Security review complete"

Best Practices for SA Businesses

1. Always Human-Review AI Code before production deployment
2. Use AI for Speed, Not Substitution - AI generates, humans validate
3. Implement Automated Security Testing (OWASP ZAP, Snyk)
4. Train Teams on POPIA Requirements specific to AI-generated code
5. Version Control Everything - Never deploy AI code without Git tracking

// Recommended workflow for vibe coding in SA enterprises

class VibeCodingWorkflow {
  async buildFeature(prompt: string) {
    // Step 1: AI generates code
    const generatedCode = await ai.generate(prompt);
    
    // Step 2: Automated security scan
    const securityIssues = await this.scanForVulnerabilities(generatedCode);
    if (securityIssues.critical.length > 0) {
      throw new Error('Critical vulnerabilities detected');
    }
    
    // Step 3: POPIA compliance check
    const popiaIssues = await this.checkPOPIACompliance(generatedCode);
    if (!popiaIssues.compliant) {
      console.warn('POPIA issues:', popiaIssues.violations);
    }
    
    // Step 4: Human code review
    await this.requestPeerReview(generatedCode);
    
    // Step 5: Staging deployment with monitoring
    await this.deployToStaging(generatedCode);
    
    // Step 6: Production only after validation
    if (await this.validateStaging()) {
      await this.deployToProduction(generatedCode);
    }
  }
}

The Future: v0 and Next-Generation Tools

It’s no longer a question of whether vibe coding will reshape business—it’s whether your organization will build the right guardrails to harness it safely and effectively.

Platforms like v0 by Vercel are pushing this revolution forward by providing the developer tools and cloud infrastructure to build, scale, and secure a faster, more personalized web. With features like:

• Single-tap deployment to Vercel’s edge network
• Built-in security scanning and dependency updates
• Type-safe code generation with full TypeScript support
• Component library integration (shadcn/ui, Radix)
• Responsive design out of the box

Developers are contributing to building proper guardrails with every project.

v0 Example: Building a POPIA-Compliant Contact Form

// Prompt to v0: "Create a contact form with POPIA consent checkbox"

// Generated output includes:
import { useState } from 'react';
import { Button } from '@/components/ui/button';
import { Input } from '@/components/ui/input';
import { Checkbox } from '@/components/ui/checkbox';

export function ContactForm() {
  const [consent, setConsent] = useState(false);
  
  const handleSubmit = async (e: React.FormEvent) => {
    e.preventDefault();
    
    if (!consent) {
      alert('Please consent to data processing as required by POPIA');
      return;
    }
    
    // Form submission with GDPR/POPIA compliance
    await fetch('/api/contact', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        email: e.target.email.value,
        message: e.target.message.value,
        consent: true,
        timestamp: new Date().toISOString()
      })
    });
  };
  
  return (
    <form onSubmit={handleSubmit}>
      <Input name="email" type="email" required />
      <textarea name="message" required />
      
      <div className="flex items-center gap-2">
        <Checkbox 
          checked={consent}
          onCheckedChange={setConsent}
          required
        />
        <label>
          I consent to Webrack processing my data in accordance with 
          <a href="/privacy">POPIA regulations</a>
        </label>
      </div>
      
      <Button type="submit" disabled={!consent}>
        Submit
      </Button>
    </form>
  );
}

// POPIA compliant: Explicit consent required
// Type-safe: Full TypeScript support
// Accessible: Proper ARIA labels
// Responsive: Works on mobile/desktop

Conclusion: Embrace with Eyes Open

The choice is simple: Embrace the vibe coding revolution with proper guardrails or watch others build the future while you’re still learning syntax.

For South African businesses, vibe coding represents:

Opportunity: Democratizes software development for resource-constrained startups
Speed: Reduces time-to-market from months to weeks
Cost Savings: R1M+ savings on MVP development

Risk: Security vulnerabilities if code isn’t reviewed
Compliance: POPIA violations can result in R10M+ fines
Technical Debt: AI-generated code needs refactoring for scale

Key Takeaways

• English is Programming: Natural language is becoming the primary interface for software development
• 92% Adoption: Near-universal adoption among developers in 2026
• Cost Democratization: SA startups can build MVPs for R5,000 instead of R2M+
• Security Critical: Always review AI code for vulnerabilities before deployment
• POPIA Mandatory: Data sovereignty and privacy compliance non-negotiable
• Guardrails Essential: Automated security testing, human review, staging environments required
• Future-Proof: AI coding will become standard development practice by 2028

Related Reading

• OpenClaw AI Agents: Security Risks for SA Businesses
• Anthropic’s Closed Ecosystem and Vendor Lock-in
• AI and Data Sovereignty: The Pentagon’s Threat
• Vinext Review: Cloudflare’s AI-Built Framework

---

Need help navigating AI development while keeping your web applications secure and POPIA-compliant? The Webrack team is here to help. We specialize in reviewing AI-generated code for security vulnerabilities, implementing proper guardrails, and ensuring your applications meet South African regulatory requirements. Contact us at hello@webrack.co.za or request a free security audit to future-proof your tech stack.