1 of 20

How to do Secure Code Review with Vibe Coding IDEs

Scott Behrens

Principal Security Engineer

Clint Gibler

Head of Research

1

2 of 20

Bold Claim: By the end of this webinar…

You will…

  • Have a methodology for doing AI-powered code reviews
  • See it in action (Roo Code)
  • Tips, gotchas

→ You can immediately start applying parts (or all) of this at work.

We’ll also share some prompts and “personas” used today you can start with.

2

3 of 20

🤖 Start code indexing (Qdrant)

3

4 of 20

🤖 Start “Understanding” process��Roo: Start the Workflow

4

5 of 20

Our Mindset: Practical, non hype-y

❌ ZOMG everything has changed with AI��✅ Leverage AI where it makes sense

5

6 of 20

Our Mindset: Practical, non hype-y

❌ ZOMG everything has changed with AI��✅ Leverage AI where it makes sense

  • Use the right tools for the job
  • Improve existing workflows

6

7 of 20

Goal: Assess this repo

7

8 of 20

8

Vuln Scanning

Understand Repo/Threat Model

Reporting

Tracing

What

We'll Cover

9 of 20

Methodology

  • Understand
  • Find
  • Fix

9

10 of 20

Methodology

Big Picture

  • What does this repo do?
  • What are its core components?
  • Threat model
  • Trust boundaries

Details

  • Tech stack
  • Dependencies
  • Connections to external services and systems
  • Understand
  • Find
  • Fix

10

11 of 20

Methodology

  • Understand
  • Find
  • Fix
  • Existing security tools
    • Semgrep
  • LLM-driven code review
    • Roo Code modes
    • Claude Code custom commands
  • Human code review

11

12 of 20

Methodology

Triaging findings

  • Remove false positives
  • Prioritization - How much should I care about fixing this?

�Getting it fixed

  • Report / Finding write-up
  • Proof of concept
  • Description
  • How do I fix this in a non disruptive way?

  • Understand
  • Find
  • Fix

12

13 of 20

🤖 Improving an AI prompt with… AI��“Which web frameworks or API frameworks are used in this repo and where do the primary routes/controllers live?”

  1. Claude.ai -> Opus
  2. “You are an expert AI prompt engineer…”
  3. Claude Command: analyze-routes.md

13

14 of 20

🤖 Start “Find” phase

👀 Review “Understanding” outputs���

14

15 of 20

❌ One mega prompt | ✅ Smaller, focused prompts

15

You are a security expert.��Perform the following assessment:��1. Examine the tech stack and architecture��2. Look for:�* XSS�* SQLi�* Access control bugs��3. Write up each finding��4. Combine the findings into a report��…

Tech stack

Trust boundaries

Routes

LLM Code Review

Tools (Semgrep)

Human Review

Write up Finding

Generate Report

16 of 20

✍️

Store outputs along the

way

16

Tech stack

Trust boundaries

Routes

LLM Code Review

Tools (Semgrep)

Human Review

Write up Finding

Generate Report

tech_stack.md

boundaries.svg

routes.md

scan.json

findings.md

17 of 20

⚒️ Prompts as functions()

Detailed sets of instructions that perform some task

Can call repeatedly on different inputs (code bases)

→ Roo Code, Claude Code, custom Agent, …

17

Tech stack

Trust boundaries

Routes

LLM Code Review

Tools (Semgrep)

Human Review

Write up Finding

Generate Report

18 of 20

🤖 Start “Fix” phase

👀 Review “Find” outputs���

18

19 of 20

🔮 Future Work

(Rad stuff we didn’t have time to cover today)

  • Adjusting Confidence based on security controls
  • Prioritizing: attacker capability, app security context
  • Business logic scanning in detail

19

20 of 20

🧠 TL;DR

Understand

  • Repo purpose, core components
  • Threat model, trust boundaries
  • Tech stack, deps, integrations

Find

  • Security tools (Semgrep)
  • LLM-driven (Roo modes)

Fix

  • Triage, prioritization
  • Report, PoC, how to fix

Tips / Ideas

  • Improve prompts with AI
  • Smaller focused prompts > monolith prompts
  • Store prompt outputs along the way
  • Prompts as re-usable functions()
  • Use a vector store for better code search

20