πŸ”’ The opportunity: application threat modeling & secure design review is one of the highest value appsec/prodsec activities, but is hard to implement efficiently and at scale.

A bad solution: provide a long list of controls that need to be checked each time

A better solution: generate relevant security requirements automatically based on what’s being built

Met with primesec yesterday, and this is what they are trying to do! They are using LLM to read what’s in your user stories (etc.), summarizing the work for the security team, and injecting specific security control requirements.

If this catches even a small portion of the real requirements, it would be a major uplift for teams both from a security and efficiency perspective. Looking forward to checking it out.