How to beef up your security with AI, safely

Last month, prominent indie hacker Marc Louvion found himself in hot water when an X user pointed out security flaws in his boilerplate product.

The ShipFast saga has many indie hackers questioning the security of their own SaaS products — a crucial element they may have overlooked in the drive to get a product out quickly.

But whether it's the result of limited time or expertise (or both), vulnerable code can come back to bite you. Hard.

Plenty of indie hackers — including Louvion — are turning to AI for help with their security. Although it's "certainly not bulletproof," it makes this complex field "a bit easier," he said in a recent X post.

But experienced builders warn AI's security skills are limited and it should only be used with caution.

Necmettin "Neco" Karakaya is a software developer with extensive security experience. He launched early-stage tool defendsaas.com after seeing a surge in interest in security among indie hackers.

"Security is complex. It often requires understanding specific attack vectors within the broader context of an application," he said. "AI might offer solutions for smaller, isolated issues, but when it comes to larger-scale security concerns, its effectiveness is questionable."

That being said, indie hackers may not know where else to turn with their security questions.

"Security as a service been around for a while," Neco said. But it's normally designed for enterprise businesses who need regular security audits as part of their licensing.

This is overkill for most bootstrapped SaaS startups — and it's expensive. Big companies can spend $16-$20k for an audit.

AI, on the other hand, is cheap and available instantly. If you are keen to use it in your own projects, how can you make sure you're using it responsibly?

1. Don't get complacent

"It's easy to become reliant on AI for quick fixes, which might cause developers to overlook subtle changes that introduce vulnerabilities," Neco told me.

When I spoke to other indie hackers, it seemed like everyone had some version of this story.

"7/10 wouldn’t take AIs security advice," one experienced founder told me. He ended up working with stale data for weeks after failing to notice an AI code editor had altered a collection name. "It made a small adjustment without understanding of the context and fucked up a feature," he said.

Another indie hacker said, "I overlooked a slight change that that messed up one webhook. I was too lazy to check every detail."

"These reasons are exactly why I don't use [AI code editor] Cursor," said James Ivings, co-founder of LeaveMeAlone and StartKit.ai. "I'm lazy and I know if I start then I'll miss all kinds of shit like this."

2. Make sure you understand any AI-generated code

Checking AI-generated code for errors isn't enough. You need to properly understand what it does or you risk letting through errors you haven't considered.

Reading each line and thinking about what it actually does can be "super useful," one founder said. Making your own comments may also help you if you need to go back in and make changes in the future.

"Reading your own code after some time is tough enough; deciphering code you didn't write — or that was generated by an AI — makes debugging and fixing security issues even more difficult," Neco said.

"You might feel disconnected from your own codebase, making it harder to identify and resolve problems."

3. Check your work with AI — but remember it's not foolproof.

Several indie hackers suggested making AI check its own workings for potential security risks. One founder said he gets AI to triple-check anything it generates.

Other founders don't use AI to generate code at all, but will use it to audit their own scripts.

"AI is perhaps the problem and the solution to this," one founder said. "I suspect it's already better than an average dev at finding security holes."

Neco suggests using AI to generate test cases that can help you build "a more robust" codebase. "Using AI to create comprehensive unit tests, integration tests, and other automated checks ensures your code behaves as expected and can handle edge cases effectively," he said.

Testing your code gives you confidence in its reliability. The more thoroughly you test it, the more confidence you will have.

But it's important to make sure your security doesn't rest solely on AI audits, which may miss vulnerabilities in complex systems it doesn't have full grasp of.

Some startups offer automated code reviews that can highlight issues you may not have considered. But there's a lot to be said for traditional static analysis tools and peer reviews, Neco said.

4. Use it for high-level questions

If you don't trust AI to audit your own code, you might still find it can help spot high-level issues that result from your particular setup.

"I want to understand and implement myself for the most part [and I'm] not letting AI touch anything," LexBoost co-founder Erwin Lengkeek told me.

"I'm only asking AI what I should consider/learn/know to improve security for my specific infrastructure and setup."

But it's important to remember even these insights can be misleading. "The AI might provide inaccurate or irrelevant information due to a lack of context or hallucinations," Neco said.

5. Speak to real-life developers

Given AI's limitations, it should never be the only source of security expertise.

"My primary advice is to consult with experienced developers before launching your application," Neco said. "An experienced eye can quickly spot vulnerabilities and recommend best practices that might not be immediately obvious."

Neco set up a Discord channel as part of his security start-up, where users can get advice when they encounter a problem they don't understand. Eventually, he wants to host a hub of resources built for founders.

"It's crucial to remain proactive and continuously educate yourself," he told me.

"Building a secure application isn't just about fixing issues as they arise, but about adopting a security-first mindset throughout your development process."