Bridging Security and Agility: A Comprehensive Approach to Integrating Security Practices in Agile Development through DAST, LLMs, and Automation
| dc.contributor.author | Thool, Arpit Uday | en |
| dc.contributor.committeechair | Brown, Dwayne Christian | en |
| dc.contributor.committeemember | Smith, Justin | en |
| dc.contributor.committeemember | Meng, Na | en |
| dc.contributor.committeemember | Edmison, Kenneth Robert | en |
| dc.contributor.committeemember | Gulzar, Muhammad Ali | en |
| dc.contributor.department | Computer Science and#38; Applications | en |
| dc.date.accessioned | 2026-01-31T09:00:09Z | en |
| dc.date.available | 2026-01-31T09:00:09Z | en |
| dc.date.issued | 2026-01-30 | en |
| dc.description.abstract | Effectively integrating security practices within Agile software development is essential as software systems become complex and critical. While Agile methodologies are widely adopted for their responsiveness and efficiency, many security practices remain documentation-heavy and process-driven, creating friction with Agile's emphasis on frequent delivery, individuals, and interactions. This Ph.D. dissertation investigates the integration of security practices—particularly Dynamic Application Security Testing (DAST), used to identify critical real-time vulnerabilities in web applications—into Agile workflows, examining its perceived impact on development teams and processes. We first surveyed Agile practitioners to understand their perspectives on security integration, revealing both benefits and challenges in implementation. We then explored how Large Language Models (LLMs) could improve the comprehension of security testing outputs, demonstrating that LLM generated summaries enhance the accessibility and understanding of security alerts. Subsequently, an in-depth real-world case study of a Kanban-based Agile team integrating DAST into its Continuous Integration Continuous Development (CI/CD) pipelines uncovered practical obstacles—such as report complexity and workflow interruptions, alongside conditions that supported successful adoption, including increased automation and dedicated engineering support. Finally, the insights from these studies informed the development of SafeAIMerge, a CI/CD-based tool that integrates DAST scanning with LLM-generated summaries to deliver actionable, developer-friendly security feedback within pull requests (PRs). Practitioner evaluations indicate that the tool reduces cognitive and emotional workload during vulnerability remediation, enhances security report understanding, and supports software developers in more efficient resolution of security issues. Together, these studies form a cohesive body of evidence demonstrating how security practices such as DAST, when supported by automated workflows, LLMs, and guided by practitioner-centered design, can be effectively embedded into Agile development. | en |
| dc.description.abstractgeneral | Modern software is deeply embedded in everyday life, making security a critical concern. At the same time, many software teams rely on Agile development methods that emphasize speed and frequent updates. Traditional security practices are often difficult to fit into these fast-paced workflows, creating challenges for teams trying to remain both secure and efficient. This PhD dissertation focuses on how security practices can be effectively incorporated into Agile software development. We first examined how software developers perceive security, identifying common benefits as well as obstacles that make security practices difficult to adopt in Agile. Next, we investigated how LLM tools can help developers better understand security testing results, showing that LLM-generated explanations make security issues clearer and easier to address. We then studied a real-world Agile team integrating automated security testing—specifically Dynamic Application Security Testing (DAST), which checks running web software for security weaknesses—into their development process, uncovering both practical challenges and factors that supported successful adoption. Based on these findings, we developed SafeAIMerge, a DAST-based tool that provides clear and actionable security feedback directly within developers' existing workflows. Overall, this research demonstrates that developers perceive security can be effectively integrated into Agile development when it is automated, clearly explained, and designed around developers' needs, helping teams build secure software without slowing development. | en |
| dc.description.degree | Doctor of Philosophy | en |
| dc.format.medium | ETD | en |
| dc.identifier.other | vt_gsexam:45673 | en |
| dc.identifier.uri | https://hdl.handle.net/10919/141091 | en |
| dc.language.iso | en | en |
| dc.publisher | Virginia Tech | en |
| dc.rights | In Copyright | en |
| dc.rights.uri | http://rightsstatements.org/vocab/InC/1.0/ | en |
| dc.subject | Software Engineering | en |
| dc.subject | Agile | en |
| dc.subject | Security | en |
| dc.subject | Security Practices | en |
| dc.subject | DAST | en |
| dc.subject | LLM | en |
| dc.title | Bridging Security and Agility: A Comprehensive Approach to Integrating Security Practices in Agile Development through DAST, LLMs, and Automation | en |
| dc.type | Dissertation | en |
| thesis.degree.discipline | Computer Science & Applications | en |
| thesis.degree.grantor | Virginia Polytechnic Institute and State University | en |
| thesis.degree.level | doctoral | en |
| thesis.degree.name | Doctor of Philosophy | en |
Files
Original bundle
1 - 1 of 1