1. CSN
  2. All Volumes and Issues
  3. Volume 7, Number 2, 2025
  4. Security as Code Using Agentic AI: Efficiency in Ensuring Software Development Lifecycle Security

Security as Code Using Agentic AI: Efficiency in Ensuring Software Development Lifecycle Security

CSN.
2025;
Volume 7, Number 2
: pp. 13 - 25
https://doi.org/10.23939/csn2025.02.013
Authors:
  1. O. P. Vakhula
  2. P. A. Vorobets
1
Lviv Polytechnic National University, Department of Information Protection, Ukraine
2
Lviv Polytechnic National University, Department of Information Protection, Ukraine

This paper presents a framework for automating software development security using a Security as Code approach enhanced with a multi-agent artificial intelligence system. The research addresses the limitations of traditional DevSecOps practices by deploying specialized AI agents to perform static code analysis, generate and enforce security policies, and monitor system behavior. The architecture integrates security throughout the CI/CD pipeline and runtime, enabling autonomous decision-making, adaptability to threats, and reduced developer overhead. Experimental evaluation demonstrates the framework’s effectiveness in early vulnerability detection, consistent policy enforcement, and reduced response time. The proposed solution balances automation speed with human oversight, enhancing the resilience and scalability of secure software development processes.

artificial intelligence
DevSecOps
CI/CD
multi-agent system
security automation
Security as Code
security policies
  1. Myrbakken, H., & Colomo-Palacios, R. (2017). DevSecOps: A multivocal literature review. In A.  Mas, A. Mesquida, R. V. O’Connor, T. Rout, & A. Dorling (Eds.), Software Process Improvement and Capability Determination (SPICE 2017), Communications in Computer and Information Science, 770 (pp. 17–29). Springer. DOI: https://doi.org/10.1007/978-3-319-67383-7_2.
  2. GitLab. (2022, August 23). GitLab’s 2022 Global DevSecOps Survey: Security is the top concern, investment. GitLab Blog. (Report on DevSecOps Survey). GitLab website.
  3. National Institute of Standards and Technology (NIST). (2023). DevSecOps helps ensure security is addressed as part of DevOps practices. NIST CSRC DevSecOps Project. (Web article). NIST CSRC website.
  4. Check Point Software. (2022). Adopt security as code – DevSecOps best practices for 2022. Check Point Blog. (Web article). Check Point website.
  5. HashiCorp. (2022). Infrastructure as Code Security Guide. HashiCorp. (Technical guide). HashiCorp website.
  6. OWASP. (2021). OWASP Top 10 Web Application Security Risks – 2021. OWASP Foundation. (Standard/Report). OWASP website.
  7. Sarker, I. H., Furhad, M., & Nowrozy, R. (2021). AI-driven cybersecurity: An overview, security intelligence modeling and research directions. SN Computer Science, 2(173). DOI: https://doi.org/10.1007/s42979-021-00557-0.
  8. IBM Research. (2023). The role of AI in next-generation security operations. IBM Security Research. (Technical white paper). IBM Research website.
  9. Bae, J., Kwon, S., & Myeong, S. (2024). Enhancing software code vulnerability detection using GPT-4.0 and Claude-3.5 Sonnet: A study on prompt engineering techniques. Electronics, 13(13), 2657. DOI: https://doi.org/10.3390/electronics13132657.
  10. Gong, J., Duan, N., Tao, Z., Gong, Z., Yuan, Y., & Huang, M. (2024). How well do large language models serve as end-to-end secure code producers? arXiv Preprint, arXiv:2408.10495. (Accessible at arXiv repository).
  11. Kassimi, D., Kazar, O., Saouli, H., & Boussaid, O. (2017). Design and implementation of a new approach using multi-agent system for security in big data. International Journal of Software Engineering and Its Applications, 11(9), 1–14. DOI: https://doi.org/10.14257/ijseia.2017.11.9.01.
  12. Sharma, S., & Mahajan, S. (2017). Design and implementation of a security scheme for detecting system vulnerabilities. International Journal of Computer Network and Information Security, 9(10), 24–32. DOI: https://doi.org/10.5815/ijcnis.2017.10.03.
  13. Fujitsu Limited. (2024, December 12). Fujitsu develops world’s first multi-AI agent security technology to protect against new threats [Press release]. Fujitsu Global Newsroom. URL: https://www.fujitsu.com/global/about/ resources/news/press-releases/2024/1212-01.html.
  14. Sánchez-Gordón, M., & Colomo-Palacios, R. (2020). Security as culture: A systematic literature review of DevSecOps. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering (ICSE 2020) – New Ideas and Emerging Results (Article 10). ACM. DOI: https://doi.org/10.1145/3387940.3392233.
  15. Open Policy Agent (OPA). (2023). Policy-based security and compliance for cloud native environments. OPA Documentation. (Project documentation). OPA website.
  16. Center for Internet Security (CIS). (2021). Critical Security Controls Version 8. CIS. (Security standard). CIS website.
  17. International Organization for Standardization. (2022). ISO/IEC 27001:2022 – Information Security Management Systems Requirements. ISO Standards. (International standard).
  18. Kumar, R., & Goyal, R. (2020). Modeling continuous security: A conceptual model for automated DevSecOps using open-source software over cloud (ADOC). Computers & Security, 97, 101967. DOI: https://doi.org/10.1016/j.cose.2020.101967.
  19. Bashiru, O., & Olufemi, O. (2023). An enhanced CI/CD pipeline: A DevSecOps approach. International Journal of Computer Applications, 184(48), 8–13. DOI: https://doi.org/10.5120/ijca2023922594.24.
  20. Hicks, M., & Mavroudis, V. (2024). Autonomous cyber defence: Beyond games? Alan Turing Institute (Technical Report). DOI: https://doi.org/10.5281/zenodo.10974183.
  21. Haverinen, H., Janhunen, T., Päivärinta, T., Lempinen, S., Kaartinen, S., & Merilä, S. (2024). Automating cybersecurity compliance in DevSecOps with open information model for security as code. In Proceedings of the 4th Eclipse Security, AI, Architecture and Modelling Conference on Data Spaces (eSAAM 2024) (pp. 93–102). ACM. DOI: https://doi.org/10.1145/3685651.3686700.
  22. Kshetri, N., & Voas, J. (2025). Agentic artificial intelligence for cyber threat management. Computer, 56(5), 84–88. DOI: https://doi.org/10.1109/MC.2025.3544797.
  23. Yanagawa, T., Agarwal, V., Watanabe, Y., DeGenaro, L., & others. (2024). A secure framework for continuous compliance across heterogeneous policy validation points. In Proceedings of the 2024 IEEE 17th International Conference on Cloud Computing (CLOUD) (pp. 176–182). IEEE. DOI: https://doi.org/10.1109/ CLOUD62652.2024.00029.