Bridging Security and Agility: A Comprehensive Approach to Integrating Security Practices in Agile Development through DAST, LLMs, and Automation

Abstract

Effectively integrating security practices within Agile software development is essential as software systems become complex and critical. While Agile methodologies are widely adopted for their responsiveness and efficiency, many security practices remain documentation-heavy and process-driven, creating friction with Agile's emphasis on frequent delivery, individuals, and interactions. This Ph.D. dissertation investigates the integration of security practices—particularly Dynamic Application Security Testing (DAST), used to identify critical real-time vulnerabilities in web applications—into Agile workflows, examining its perceived impact on development teams and processes. We first surveyed Agile practitioners to understand their perspectives on security integration, revealing both benefits and challenges in implementation. We then explored how Large Language Models (LLMs) could improve the comprehension of security testing outputs, demonstrating that LLM generated summaries enhance the accessibility and understanding of security alerts. Subsequently, an in-depth real-world case study of a Kanban-based Agile team integrating DAST into its Continuous Integration Continuous Development (CI/CD) pipelines uncovered practical obstacles—such as report complexity and workflow interruptions, alongside conditions that supported successful adoption, including increased automation and dedicated engineering support. Finally, the insights from these studies informed the development of SafeAIMerge, a CI/CD-based tool that integrates DAST scanning with LLM-generated summaries to deliver actionable, developer-friendly security feedback within pull requests (PRs). Practitioner evaluations indicate that the tool reduces cognitive and emotional workload during vulnerability remediation, enhances security report understanding, and supports software developers in more efficient resolution of security issues. Together, these studies form a cohesive body of evidence demonstrating how security practices such as DAST, when supported by automated workflows, LLMs, and guided by practitioner-centered design, can be effectively embedded into Agile development.