AI has made it easy to ship software in days instead of months. That speed is a gift, but it also changes where security lives and how quickly risk can enter your app. In this Aikido Masterclass, Bill Harmer (CISO, Supabase) and Igor Andriushchenko (CISO, Lovable) shared what it takes to keep velocity without losing control. This recap captures the parts every builder should apply right now.
Build security in from the start
Lovable helps you move from idea to interface fast. Supabase gives you the backend and database foundation. Bill opened with a reminder that matters more than any tool choice: security is a design decision, not a late-stage patch.
“Security is delivered by design, not bolted on later.” - Bill Harmer, CISO Supabase
When foundations are secure, everything above them stays calmer. Keep sensitive logic and data access on the backend, lean on secure defaults instead of rolling your own auth, and avoid pushing quick fixes into the browser just to unblock a build.
Use what the platforms give you
Teams often rebuild controls that already exist inside their stack. Supabase and Lovable ship with guardrails that cut months of work if you simply turn them on and use them as intended.
“We build Supabase so teams inherit enterprise-grade controls from day one.” - Bill Harmer, CISO Supabase
Authentication, permissions, storage policies, and encryption are already there. The job is to configure and respect them, not replace them with something riskier.
Do not skip Row Level Security
Row Level Security (RLS) is simple, powerful, and too often ignored. It decides exactly which rows a user can see or change. Without it, the blast radius is the entire table.
“If you do nothing else, enable Row Level Security and configure it.” - Bill Harmer, CISO Supabase
Lovable enables RLS by default, but you still need to write and test the policies. Treat RLS like a seatbelt. You only notice it is missing when it is too late.
Security slows you down a little, and that is fine
Adding checks can break something. That is normal. Igor’s point was not to avoid friction, but to treat it as a sign you are doing the right work.
“Security is not free. The payoff is peace of mind and fewer incidents.” - Igor Andriushchenko, CISO Lovable
If a rule blocks a path, fix the path rather than removing the rule. Hours now beat days of cleanup later. Real speed is deploying with confidence.
Think in layers
There is no single feature that protects an app. Good security is a stack of small controls that catch each other’s misses.
“Think in layers. Every layer should fail closed.” - Igor Andriushchenko, CISO Lovable
Use MFA and role-based access. Push sensitive logic into edge functions. Enforce RLS at the database. Scan for secrets and vulnerabilities before merge. Watch runtime traffic and set rate limits. Each layer reduces impact when something slips.
Developers are becoming builders
AI shifted the craft. The value is less about typing and more about shaping systems that hold up under change.
“Hire builders. People who solve problems with systems. The tool is secondary.” - Igor Andriushchenko, CISO Lovable
Builders understand boundaries, data flow, and failure points. They know what belongs in the browser, what stays on the edge, and what the database must enforce. That mindset prevents subtle risks from becoming public incidents.
Give AI guardrails
Large language models are built to make code run. If a constraint looks like the reason something fails, the model will try to remove it. That can be a security check.
“AI will remove constraints to make code run unless you tell it not to.” - Igor Andriushchenko, CISO Lovable
Set rules before you generate. Keep secrets out of the browser. Let edge functions handle sensitive logic. Let the database enforce RLS. Ask AI to help you build, not to decide what is safe.
Ship with the basics covered
Bill’s final reminder was to rely on secure defaults and verify the fundamentals before release.
“Secure defaults make everything easier.” - Bill Harmer, CISO Supabase
Turn on and test RLS. Enable MFA. Keep secrets out of repositories. Add rate limits and bot protection for public endpoints. Separate staging and production. Review logs and alerts. Automate scans in CI. These steps are simple, and they are the ones that prevent headlines.
The takeaway
Fast does not have to mean fragile. Lovable lets you build quickly. Supabase gives you a secure foundation. Aikido ties it together by finding and fixing risks across your code, cloud, and runtime so you can keep shipping without second guessing what you missed.
If you want a practical list you can run today, start with the Vibe Coder’s Security Checklist.
Watch the full Masterclass recording to hear it straight from the CISOs.
.avif)
