A Multi-agent Security Framework for AI-Assisted Software Development
DOI:
https://doi.org/10.63282/3050-9416.IJAIBDCMS-V7I1P105Keywords:
Multi-Agent Systems, AI Security, Devsecops, Software Development Lifecycle, Code Generation, Vulnerability Detection, Shift-Left Security, Large Language Models, Iterative Security RefinementAbstract
AI-enabled tools for code generation have drastically changed software development, but security holes in the code created by AI are still significant. Several new studies show security vulnerabilities could increase by 37.6% after five rounds of iterative software refinement using AI, with 19-50% of AI-generated code containing security flaws. This paper describes a new multi-agent security framework that integrates security-first principles throughout the Software Development Lifecycle (SDLC). The framework consists of seven specialized AI agents (Threat Modeling, Security Design, Secure Code Generation, Security Testing, CI/CD Security, Runtime Security, and Compliance), each of which handles a unique SDLC phase. The key differentiator of the innovation is a continuous security gate mechanism of the Secure Code Generation Agent which helps in keeping security on track during the process of coding via confidence scoring and automated safety checkpoints. It combines webhook-based trigger mechanisms directly with current development tools like Jira, GitHub, Jenkins, SIEM and uses hybrid enforcement (rule-based security tools – SAST, DAST, SCA) and LLM-based contextual analysis. The approach proposed strives for >90% sensitivity for critical vulnerabilities and >85% specificity to minimize alert fatigue, with holistic metrics on detection accuracy, performance, and operational effectiveness. This solution proactively addresses security at every SDLC stage rather than reactively once deployed, allowing organizations to leverage AI-assisted development while maintaining robust security posture and regulatory compliance.
References
1. J. Becker, N. Rush, E. Barnes, and D. Rein, “Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity,” arXiv.org, 2025. https://arxiv.org/abs/2507.09089
2. “GitHub CEO says Copilot will write 80% of code ‘sooner than later,’” Freethink, Jun. 17, 2023. https://www.freethink.com/robots-ai/github-copilot
3. “Examining Zero-Shot Vulnerability Repair with Large Language Models | IEEE Conference Publication | IEEE Xplore,” ieeexplore.ieee.org. https://ieeexplore.ieee.org/abstract/document/10179324
4. “Peer-reviewed and accepted in IEEE-ISTAS 2025 Security Degradation in Iterative AI Code Generation: A Systematic Analysis of the Paradox,” Arxiv.org, 2025. https://arxiv.org/html/2506.11022
5. S. Hong et al., “MetaGPT: Meta Programming for Multi-Agent Collaborative Framework,” arXiv.org, Aug. 07, 2023. https://arxiv.org/abs/2308.00352
6. Q. Wu et al., “AutoGen: Enabling Next-Gen LLM Applications via Multi-Agent Conversation,” arXiv.org, Oct. 03, 2023. https://arxiv.org/abs/2308.08155
7. “Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity,” METR Blog, 2025. https://metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study/
8. Z. Li, S. Dutta, and M. Naik, “LLM-Assisted Static Analysis for Detecting Security Vulnerabilities,” arXiv.org, 2024. https://arxiv.org/abs/2405.17238
9. N. Perry, M. Srivastava, D. Kumar, and D. Boneh, “Do Users Write More Insecure Code with AI Assistants?,” arXiv (Cornell University), Nov. 2022, doi: https://doi.org/10.1145/3576915.3623157
10. S. Stein, “CrowdStrike Researchers Identify Hidden Vulnerabilities in AI-Coded Software,” Crowdstrike.com, 2025. https://www.crowdstrike.com/en-us/blog/crowdstrike-researchers-identify-hidden-vulnerabilities-ai-coded-software/
11. Y. Dong et al., “A Survey on Code Generation with LLM-based Agents,” Arxiv.org, 2025. https://arxiv.org/html/2508.00083v1
12. “The Evolution of DevSecOps with AI | CSA,” Cloudsecurityalliance.org, 2024. https://cloudsecurityalliance.org/blog/2024/11/22/the-evolution-of-devsecops-with-ai
13. “PLOT4ai - Privacy Library Of Threats 4 Artificial Intelligence,” plot4.ai. https://plot4.ai/
14. Umm-e- Habiba, M. Haug, J. Bogner, and S. Wagner, “How mature is requirements engineering for AI-based systems? A systematic mapping study on practices, challenges, and future research directions,” Requirements Engineering, Oct. 2024, doi: https://doi.org/10.1007/s00766-024-00432-3
15. J. P. Morgan, “Revolutionizing Threat Modeling with AI: The Threat Modeling Co-Pilot,” Jpmorganchase.com, Oct. 03, 2025. https://www.jpmorganchase.com/about/technology/blog/aitmc
16. B. Strom, A. Applebaum, D. Miller, K. Nickels, A. Pennington, and C. Thomas, “MITRE ATT&CK®: Design and Philosophy,” Jul. 2018. Available: https://www.mitre.org/sites/default/files/2021-11/prs-19-01075-28-mitre-attack-design-and-philosophy.pdf
17. “Pricing,” www.anthropic.com. https://www.anthropic.com/pricing
18. OpenAI, “API Pricing,” OpenAI, 2025. https://openai.com/api/pricing/
19. IBM, “IBM Report: Consumers Pay the Price as Data Breach Costs Reach All-Time High,” IBM Newsroom, Jul. 27, 2022. https://newsroom.ibm.com/2022-07-27-IBM-Report-Consumers-Pay-the-Price-as-Data-Breach-Costs-Reach-All-Time-High
20. “OWASP Top 10 CI/CD Security Risks | OWASP Foundation,” owasp.org. https://owasp.org/www-project-top-10-ci-cd-security-risks/
