Anyone can build an app now. That changes everything.
Something big is happening. Tools like Lovable, Bolt, and Cursor let people who aren’t developers build real business applications — in hours. A building manager needs an energy dashboard — done before lunch. An operations lead wants a maintenance tracker — describe it, and AI writes the code.
This is called “vibe coding.” It’s fast, it’s accessible, and it’s spreading across every industry.
But here’s the catch.
Veracode’s 2025 GenAI Code Security Report found that 45% of AI-generated code contains security vulnerabilities. Wiz Research showed that 1 in 5 vibe-coded apps has serious misconfigurations — hardcoded secrets, client-side authentication, insecure data policies. Tenzai tested five major AI coding tools and found 69 vulnerabilities across just 15 applications. Several were rated critical.
The people building with these tools aren’t security experts. That’s the whole point — and the whole problem.
IT departments face an unfair choice: allow the speed and accept the risk, or block everything and lose the value.
We built a third option.
Don’t fix the code. Fix the architecture.
The usual answer is more code review. Scan the output, find the flaws, patch them, repeat. That works for professional development teams. It doesn’t scale when the whole idea is that anyone can build.
The Databricks AI Red Team showed why. They asked Claude to build a multiplayer snake game. The AI used Python’s pickle module for serialization — a known path to remote code execution. The app worked perfectly. The vulnerability was invisible unless you already knew what to look for.
AI optimizes for “does it work?” Not “is it safe?”
We took a different approach. Instead of catching mistakes after the fact, we designed an architecture where the most dangerous categories of vulnerability simply cannot exist.
The idea is simple: the app itself has no access to anything sensitive. No secrets. No database. No backend. No authorization logic. It’s a thin presentation layer — HTML, CSS, JavaScript — that gets all its data and all its security from the platform underneath.
Three layers. Clear responsibilities.
The app is built with AI tools. It contains only the user interface. No passwords, no API keys, no database connections, no server-side code. Think of it as a window — it can show information, but it doesn’t store or protect it.
Microsoft Entra ID handles authentication. When someone opens the app, they log in with their existing organizational account. MFA, single sign-on, conditional access — all inherited from the organization’s own setup. The app never touches a password.
ProptechOS stores all data and enforces all access control. Every request is checked server-side: who’s asking, what they’re allowed to see, whether the request is valid. Even if someone tampered with the app’s JavaScript, ProptechOS would still enforce the right permissions.
No trust is placed in the app. All trust lives in the platform.
What this eliminates
We mapped this architecture against the 14 most commonly documented vibe coding vulnerabilities — compiled from Veracode, Wiz, Databricks AI Red Team, OWASP Top 10 for LLM Applications, OWASP Top 10 for Web Applications, Kaspersky, Tenzai, and the Vibe Coding Security Top 10.
10 of 14 risks are fully eliminated. Not patched. Not mitigated. Gone.
No hardcoded credentials — because there are no credentials. No SQL injection — because there’s no database. No misconfigured backend — because there is no backend. No broken authorization — because authorization lives in ProptechOS, not the app.
The remaining four (third-party dependencies, XSS, rate limiting, input validation) are handled through platform-level controls and pre-production review. Even here, the blast radius is limited. A compromised frontend library can’t reach data without a valid user token. ProptechOS still enforces permissions on every request.
See the mapping here.
What IT departments actually care about
For IT leaders, the shift is this: security becomes a property of the platform, not a burden on the builder.
That changes the approval conversation. Instead of “is this code secure?” — which means deep-diving into every app — the question becomes “does this app follow the architecture?” That’s a checklist, not an audit: no secrets in the code, auth delegated to Entra ID, all data from ProptechOS, source code in Git.
It simplifies compliance too. All data processing happens in ProptechOS, under one DPA. No separate agreements for hosting, databases, or backend services. The stack holds SOC 2 Type II, ISO 27001, and GDPR certifications. The architecture aligns with EU NIS2 requirements.
One platform. One agreement. One place where data lives and security is enforced.
No lock-in
Fair question: what if the AI tool used to build the app disappears tomorrow?
All source code syncs to ProptechOS Git. Standard tooling. Standard build process. Any developer can rebuild and redeploy in under an hour. No dependency on any single development platform.
We take responsibility
This isn’t a “here’s an API, good luck” setup. ProptechOS reviews every app before it goes live — architecture, code, authentication flows, dependencies, authorization. Nothing reaches production without passing that gate.
After launch, we handle ongoing maintenance: security patches, platform updates, incremental improvements. Under your existing agreement.
One partner. One handshake. Accountability for the full lifecycle.
What this means for the future
Vibe coding isn’t going away. The speed is too valuable. The tools will only get better. The question isn’t whether organizations will adopt AI-assisted development. It’s whether they’ll do it safely.
We think the answer isn’t slower development or more manual review. It’s smarter platforms — where doing the easy thing and doing the safe thing are the same thing.
Speed for the people who build. Confidence for the people who approve. Protection for the data that matters.
That’s the architecture. And your buildings just got a lot smarter.
See it in action – Book a demo.
Read our whitepaper here.
