Security-first development with AI

1. Security-first development with AI

Welcome back! Now, we shift from testing maturity to security-first development.

2. From testing to security

In the previous video, we turned Atlas into a well-tested application, but a well-tested system can still be unsafe. In this video, we focus on preventing vulnerabilities before they reach production.

3. Security-first principles

Security first means three things. We look for common vulnerability patterns early. We fix issues using secure coding practices, not one-off patches. And we automate security checks so that every change is consistently reviewed in the context of the full codebase.

4. Why AI for security?

AI helps here because it can quickly scan unfamiliar code, surface risky hotspots, and propose concrete remediations we can validate.

5. AI-assisted security review

First, we can run an AI-assisted security review of the codebase with the prompt shown on screen. To do this, we have the AI take the role of an application security engineer and produce a structured report, aligned with a standard framework. For a data analytics toolbox, a good fit is the CWE Top 25 Most Dangerous Software Weaknesses. Pause the video if you’d like a moment to read the prompt.

6. Security review output

The output is a prioritized list of findings, with the highest-risk issues at the top. Even if we do not fully trust every claim, this gives us a prioritized checklist and a starting point for verification.

7. Validating with security scanners

Next, we validate the AI findings with security scans. Here, we run the scanners we normally use and use the AI model to interpret the results and propose targeted fixes. In our case, we will run pip-audit for dependency vulnerabilities and semgrep for finding insecure code patterns.

8. Interpreting scanner results

Then we feed the reports into the AI model to interpret the results and classify findings by effort and severity. The model effectively analyzes the scanner output and spots security issues such as a vulnerable package dependency, a command injection pattern, and a SQL injection pattern.

9. Secure coding practices

Now that we have identified the issues, we can move to secure coding practices. For example, we select the SQL injection risk detected by the scanners and ask the model to fix the bug using common best practices, such as parameterized queries and input validation. In addition, we can include unit test generation in our prompt to demonstrate that the system is robust to injection payloads.

10. Automating security checks

Finally, we add the most important part of security-first development: automation. We integrate these checks into the project's testing workflow, and we run them in CI. Since Atlas is a data analysis toolbox, we will automate what matters most: unit and integration tests, dependency auditing and static analysis. If your project also includes a running web service, you can add a dynamic scanner such as OWASP ZAP.

11. Secure prompt patterns

To wrap up, we want prompts that encourage secure patterns, not quick hacks. If we keep the prompt vague with 'fix this vulnerability', the model may apply a fast patch, like escaping a string, without removing the root cause.

12. The three-part pattern

A simple, secure prompt pattern has three parts: A brief threat model—ask for a checklist of what needs protection in our codebase, this keeps the fix focused on real risks. Secure-by-default implementation choices—prefer safer primitives over manual sanitization. And validation tests—ask for tests that can help you prevent the issue in the future.

13. Let's practice!

Now, let's practice security-first development with AI!

Create Your Free Account

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.