How to Prompt AI Coding Agents to Write Secure Code

Vibe coding is fast. It's also shipping insecure code by default. At Clash of Prompts SF, Salah-Eddine Alabouch (Symbiotic Security) ran a workshop on how to actually prompt AI coding agents to produce secure code and how to defend against the new class of supply chain risks these agents introduce. This is the full workshop. 🎯 What you'll learn: - What a winning secure prompt actually looks like - Why AI coding agents default to insecure patterns - The hidden supply chain risks in `agents.md`, cursor rules, hooks and MCP tools - Practical defenses: trust boundaries, allow-lists, sandboxing, egress control, SAST & SCA - How security teams can push guardrails out to every dev by default ⏱ Chapters 00:00 Intro — Why vibe coding ships insecure by default 01:30 Winning prompt strategies 05:00 Trust boundaries & listing threats up front 08:00 Allow-lists, enums & safe defaults 11:00 Why LLMs reproduce insecure patterns 14:00 Knowledge cutoff & vulnerable libraries 17:00 Supply chain attacks via `agents.md`, cursor rules & hooks 21:00 MCP tool poisoning 24:00 Configuration poisoning & auto-approval risks 27:00 Defenses: human-in-the-loop, egress control, sandboxing 30:00 SAST, SCA & centralized policy 33:00 Closing thoughts + Q&A 🔗 Links - Play the Clash of Prompts game: https://clashofprompt.io/ - Symbiotic Security: https://symbioticsec.ai - About Symbiotic Security Symbiotic Security helps teams ship AI-generated code without shipping AI-generated vulnerabilities. We build the guardrails, scanning and policies that let developers move fast and stay safe. 📲 Follow us - LinkedIn: https://www.linkedin.com/company/symbiotic-security