Observe and Secure the ADLC: A Four-Point Framework for CISOs and Development Teams Using AI
If you’ve been paying attention to the rapidly shifting landscape of our industry, you already know the reality we are facing: the question isn’t whether Generative AI should be used to create software code, or whether the percentage of code generated by GenAI will increase in the near future. We’re well beyond the contemplation stage, at this point. The real question we must answer is how to maintain security and compliance while GenAI and artificial intelligence agents generate code and commit changes. The Software Development Life Cycle (SDLC) has transformed into the Agentic Development Lifecycle (ADLC) right before our eyes, and to be honest, we’re lagging behind best practices to keep it secure.
While development teams look to make the most of GenAI’s undeniable benefits, we’d like to propose a four-point foundational framework that will allow security leaders to deploy AI coding tools and agents with a higher, more relevant standard of security best practices. It details exactly what enterprises can do to ensure safe, secure code development right now, and as agentic AI becomes an even bigger factor in the future.
The Risks of AI-Generated Code That We Cannot Ignore
Ever since GenAI became an easily accessible tool, sparked by the release of ChatGPT in November 2022 and followed quickly by other large language models (LLMs), its application in code generation has been one of the hottest topics in tech. The productivity boost has been massive, but the double-edged sword of AI quickly became apparent. Even though some studies suggest AI-generated code can be as secure as human-generated code, the real risk lies in how often and how quickly AI-generated errors can propagate into the wider software ecosystem.
With Gartner finding that 52% of IT leaders expect GenAI will be used to generate software for their organizations soon, we cannot afford to pace ourselves too slowly, or wait for a more precise legislative landscape.
The Building Blocks for More Secure AI Code
Here at Secure Code Warrior, we view our framework for the secure use of AI coding tools not as a final destination, but as a crucial starting point that organizations can adopt immediately:
- Where’s Your Ruleset? First and foremost, developers need clear guidance for making use of AI coding tools. For instance, our SCW AI Security Rules, which we made available as a free resource on GitHub, provide structured guidance for developers working with popular tools like GitHub Copilot, Cline, Roo, Cursor, Aider, and Windsurf. These rules are lightweight by design, acting as a practical starting point rather than an exhaustive rulebook. They are organized by domain (such as web frontend, backend, and mobile) and are heavily security-focused, covering recurring issues like injection flaws, unsafe handling, weak authentication flows, and cross-site request forgery (CSRF) protection.
- Do You Have the Right AI Tech Stack? It's not just about using AI; it's about using the correct tool for the job. Organizations need to focus on the security efficacy of the AI tools they use, ensuring they are specifically built to meet the demands of a secure environment. You should be able to leverage AI tools for proactive, developer-led threat modeling, not just for code output. When the right AI tools are used the right way, they actually enhance security and prevent many errors from slipping into the pipeline.
- Precision AI Governance: A lack of visibility and governance is the fastest way to breed "shadow AI" and spread insecure code throughout your organization. We need tools that provide deep observability to enable organizations to effectively manage A tooI adoption, MCPs in use, and the commits being made by agentic technology. For example, by correlating AI tool usage directly with developer secure coding skills, leaders can maintain oversight. Upskilling developers through an ongoing learning program ensures the safe use of AI early in the software development lifecycle (SDLC), allowing your organization to innovate faster without sacrificing security. You can do that right now with SCW Trust Agent: AI. Awesome!
- Adaptive Learning Pathways: CISOs must empower their developers via educational programs that provide hands-on, real-world upskilling in secure coding. It is vital to measure their progress in acquiring new skills and to observe developers’ commits to see how well they apply those skills daily—especially their ability to double-check the work of AI tools. By using benchmarks to establish required skills and measure educational progress, organizations can effectively manage their use of AI in software development.
Want to see Learning Pathways and AI Governance in action? Book a demo.
The Bottom Line
As any developer knows, AI coding tools are extremely powerful, but how they are used determines how well they support security and compliance. Security-proficient developers and their managers who follow this framework to safely leverage AI coding tools from the start of the development cycle can increase the quality and security of their code tenfold.
And those who don’t? Well, sadly, the risk profile will only continue to grow, and security leaders will continue to contend with a cyber skills gap expanding at a similar pace.
While development teams look to make the most of GenAI’s undeniable benefits, we’d like to propose a four-point foundational framework that will allow security leaders to deploy AI coding tools and agents with a higher, more relevant standard of security best practices. It details exactly what enterprises can do to ensure safe, secure code development right now, and as agentic AI becomes an even bigger factor in the future.
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
If you’ve been paying attention to the rapidly shifting landscape of our industry, you already know the reality we are facing: the question isn’t whether Generative AI should be used to create software code, or whether the percentage of code generated by GenAI will increase in the near future. We’re well beyond the contemplation stage, at this point. The real question we must answer is how to maintain security and compliance while GenAI and artificial intelligence agents generate code and commit changes. The Software Development Life Cycle (SDLC) has transformed into the Agentic Development Lifecycle (ADLC) right before our eyes, and to be honest, we’re lagging behind best practices to keep it secure.
While development teams look to make the most of GenAI’s undeniable benefits, we’d like to propose a four-point foundational framework that will allow security leaders to deploy AI coding tools and agents with a higher, more relevant standard of security best practices. It details exactly what enterprises can do to ensure safe, secure code development right now, and as agentic AI becomes an even bigger factor in the future.
The Risks of AI-Generated Code That We Cannot Ignore
Ever since GenAI became an easily accessible tool, sparked by the release of ChatGPT in November 2022 and followed quickly by other large language models (LLMs), its application in code generation has been one of the hottest topics in tech. The productivity boost has been massive, but the double-edged sword of AI quickly became apparent. Even though some studies suggest AI-generated code can be as secure as human-generated code, the real risk lies in how often and how quickly AI-generated errors can propagate into the wider software ecosystem.
With Gartner finding that 52% of IT leaders expect GenAI will be used to generate software for their organizations soon, we cannot afford to pace ourselves too slowly, or wait for a more precise legislative landscape.
The Building Blocks for More Secure AI Code
Here at Secure Code Warrior, we view our framework for the secure use of AI coding tools not as a final destination, but as a crucial starting point that organizations can adopt immediately:
- Where’s Your Ruleset? First and foremost, developers need clear guidance for making use of AI coding tools. For instance, our SCW AI Security Rules, which we made available as a free resource on GitHub, provide structured guidance for developers working with popular tools like GitHub Copilot, Cline, Roo, Cursor, Aider, and Windsurf. These rules are lightweight by design, acting as a practical starting point rather than an exhaustive rulebook. They are organized by domain (such as web frontend, backend, and mobile) and are heavily security-focused, covering recurring issues like injection flaws, unsafe handling, weak authentication flows, and cross-site request forgery (CSRF) protection.
- Do You Have the Right AI Tech Stack? It's not just about using AI; it's about using the correct tool for the job. Organizations need to focus on the security efficacy of the AI tools they use, ensuring they are specifically built to meet the demands of a secure environment. You should be able to leverage AI tools for proactive, developer-led threat modeling, not just for code output. When the right AI tools are used the right way, they actually enhance security and prevent many errors from slipping into the pipeline.
- Precision AI Governance: A lack of visibility and governance is the fastest way to breed "shadow AI" and spread insecure code throughout your organization. We need tools that provide deep observability to enable organizations to effectively manage A tooI adoption, MCPs in use, and the commits being made by agentic technology. For example, by correlating AI tool usage directly with developer secure coding skills, leaders can maintain oversight. Upskilling developers through an ongoing learning program ensures the safe use of AI early in the software development lifecycle (SDLC), allowing your organization to innovate faster without sacrificing security. You can do that right now with SCW Trust Agent: AI. Awesome!
- Adaptive Learning Pathways: CISOs must empower their developers via educational programs that provide hands-on, real-world upskilling in secure coding. It is vital to measure their progress in acquiring new skills and to observe developers’ commits to see how well they apply those skills daily—especially their ability to double-check the work of AI tools. By using benchmarks to establish required skills and measure educational progress, organizations can effectively manage their use of AI in software development.
Want to see Learning Pathways and AI Governance in action? Book a demo.
The Bottom Line
As any developer knows, AI coding tools are extremely powerful, but how they are used determines how well they support security and compliance. Security-proficient developers and their managers who follow this framework to safely leverage AI coding tools from the start of the development cycle can increase the quality and security of their code tenfold.
And those who don’t? Well, sadly, the risk profile will only continue to grow, and security leaders will continue to contend with a cyber skills gap expanding at a similar pace.
If you’ve been paying attention to the rapidly shifting landscape of our industry, you already know the reality we are facing: the question isn’t whether Generative AI should be used to create software code, or whether the percentage of code generated by GenAI will increase in the near future. We’re well beyond the contemplation stage, at this point. The real question we must answer is how to maintain security and compliance while GenAI and artificial intelligence agents generate code and commit changes. The Software Development Life Cycle (SDLC) has transformed into the Agentic Development Lifecycle (ADLC) right before our eyes, and to be honest, we’re lagging behind best practices to keep it secure.
While development teams look to make the most of GenAI’s undeniable benefits, we’d like to propose a four-point foundational framework that will allow security leaders to deploy AI coding tools and agents with a higher, more relevant standard of security best practices. It details exactly what enterprises can do to ensure safe, secure code development right now, and as agentic AI becomes an even bigger factor in the future.
The Risks of AI-Generated Code That We Cannot Ignore
Ever since GenAI became an easily accessible tool, sparked by the release of ChatGPT in November 2022 and followed quickly by other large language models (LLMs), its application in code generation has been one of the hottest topics in tech. The productivity boost has been massive, but the double-edged sword of AI quickly became apparent. Even though some studies suggest AI-generated code can be as secure as human-generated code, the real risk lies in how often and how quickly AI-generated errors can propagate into the wider software ecosystem.
With Gartner finding that 52% of IT leaders expect GenAI will be used to generate software for their organizations soon, we cannot afford to pace ourselves too slowly, or wait for a more precise legislative landscape.
The Building Blocks for More Secure AI Code
Here at Secure Code Warrior, we view our framework for the secure use of AI coding tools not as a final destination, but as a crucial starting point that organizations can adopt immediately:
- Where’s Your Ruleset? First and foremost, developers need clear guidance for making use of AI coding tools. For instance, our SCW AI Security Rules, which we made available as a free resource on GitHub, provide structured guidance for developers working with popular tools like GitHub Copilot, Cline, Roo, Cursor, Aider, and Windsurf. These rules are lightweight by design, acting as a practical starting point rather than an exhaustive rulebook. They are organized by domain (such as web frontend, backend, and mobile) and are heavily security-focused, covering recurring issues like injection flaws, unsafe handling, weak authentication flows, and cross-site request forgery (CSRF) protection.
- Do You Have the Right AI Tech Stack? It's not just about using AI; it's about using the correct tool for the job. Organizations need to focus on the security efficacy of the AI tools they use, ensuring they are specifically built to meet the demands of a secure environment. You should be able to leverage AI tools for proactive, developer-led threat modeling, not just for code output. When the right AI tools are used the right way, they actually enhance security and prevent many errors from slipping into the pipeline.
- Precision AI Governance: A lack of visibility and governance is the fastest way to breed "shadow AI" and spread insecure code throughout your organization. We need tools that provide deep observability to enable organizations to effectively manage A tooI adoption, MCPs in use, and the commits being made by agentic technology. For example, by correlating AI tool usage directly with developer secure coding skills, leaders can maintain oversight. Upskilling developers through an ongoing learning program ensures the safe use of AI early in the software development lifecycle (SDLC), allowing your organization to innovate faster without sacrificing security. You can do that right now with SCW Trust Agent: AI. Awesome!
- Adaptive Learning Pathways: CISOs must empower their developers via educational programs that provide hands-on, real-world upskilling in secure coding. It is vital to measure their progress in acquiring new skills and to observe developers’ commits to see how well they apply those skills daily—especially their ability to double-check the work of AI tools. By using benchmarks to establish required skills and measure educational progress, organizations can effectively manage their use of AI in software development.
Want to see Learning Pathways and AI Governance in action? Book a demo.
The Bottom Line
As any developer knows, AI coding tools are extremely powerful, but how they are used determines how well they support security and compliance. Security-proficient developers and their managers who follow this framework to safely leverage AI coding tools from the start of the development cycle can increase the quality and security of their code tenfold.
And those who don’t? Well, sadly, the risk profile will only continue to grow, and security leaders will continue to contend with a cyber skills gap expanding at a similar pace.
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Chief Executive Officer, Chairman, and Co-Founder
Pieter Danhieux is a globally recognized security expert, with over 12 years experience as a security consultant and 8 years as a Principal Instructor for SANS teaching offensive techniques on how to target and assess organizations, systems and individuals for security weaknesses. In 2016, he was recognized as one of the Coolest Tech people in Australia (Business Insider), awarded Cyber Security Professional of the Year (AISA - Australian Information Security Association) and holds GSE, CISSP, GCIH, GCFA, GSEC, GPEN, GWAPT, GCIA certifications.
If you’ve been paying attention to the rapidly shifting landscape of our industry, you already know the reality we are facing: the question isn’t whether Generative AI should be used to create software code, or whether the percentage of code generated by GenAI will increase in the near future. We’re well beyond the contemplation stage, at this point. The real question we must answer is how to maintain security and compliance while GenAI and artificial intelligence agents generate code and commit changes. The Software Development Life Cycle (SDLC) has transformed into the Agentic Development Lifecycle (ADLC) right before our eyes, and to be honest, we’re lagging behind best practices to keep it secure.
While development teams look to make the most of GenAI’s undeniable benefits, we’d like to propose a four-point foundational framework that will allow security leaders to deploy AI coding tools and agents with a higher, more relevant standard of security best practices. It details exactly what enterprises can do to ensure safe, secure code development right now, and as agentic AI becomes an even bigger factor in the future.
The Risks of AI-Generated Code That We Cannot Ignore
Ever since GenAI became an easily accessible tool, sparked by the release of ChatGPT in November 2022 and followed quickly by other large language models (LLMs), its application in code generation has been one of the hottest topics in tech. The productivity boost has been massive, but the double-edged sword of AI quickly became apparent. Even though some studies suggest AI-generated code can be as secure as human-generated code, the real risk lies in how often and how quickly AI-generated errors can propagate into the wider software ecosystem.
With Gartner finding that 52% of IT leaders expect GenAI will be used to generate software for their organizations soon, we cannot afford to pace ourselves too slowly, or wait for a more precise legislative landscape.
The Building Blocks for More Secure AI Code
Here at Secure Code Warrior, we view our framework for the secure use of AI coding tools not as a final destination, but as a crucial starting point that organizations can adopt immediately:
- Where’s Your Ruleset? First and foremost, developers need clear guidance for making use of AI coding tools. For instance, our SCW AI Security Rules, which we made available as a free resource on GitHub, provide structured guidance for developers working with popular tools like GitHub Copilot, Cline, Roo, Cursor, Aider, and Windsurf. These rules are lightweight by design, acting as a practical starting point rather than an exhaustive rulebook. They are organized by domain (such as web frontend, backend, and mobile) and are heavily security-focused, covering recurring issues like injection flaws, unsafe handling, weak authentication flows, and cross-site request forgery (CSRF) protection.
- Do You Have the Right AI Tech Stack? It's not just about using AI; it's about using the correct tool for the job. Organizations need to focus on the security efficacy of the AI tools they use, ensuring they are specifically built to meet the demands of a secure environment. You should be able to leverage AI tools for proactive, developer-led threat modeling, not just for code output. When the right AI tools are used the right way, they actually enhance security and prevent many errors from slipping into the pipeline.
- Precision AI Governance: A lack of visibility and governance is the fastest way to breed "shadow AI" and spread insecure code throughout your organization. We need tools that provide deep observability to enable organizations to effectively manage A tooI adoption, MCPs in use, and the commits being made by agentic technology. For example, by correlating AI tool usage directly with developer secure coding skills, leaders can maintain oversight. Upskilling developers through an ongoing learning program ensures the safe use of AI early in the software development lifecycle (SDLC), allowing your organization to innovate faster without sacrificing security. You can do that right now with SCW Trust Agent: AI. Awesome!
- Adaptive Learning Pathways: CISOs must empower their developers via educational programs that provide hands-on, real-world upskilling in secure coding. It is vital to measure their progress in acquiring new skills and to observe developers’ commits to see how well they apply those skills daily—especially their ability to double-check the work of AI tools. By using benchmarks to establish required skills and measure educational progress, organizations can effectively manage their use of AI in software development.
Want to see Learning Pathways and AI Governance in action? Book a demo.
The Bottom Line
As any developer knows, AI coding tools are extremely powerful, but how they are used determines how well they support security and compliance. Security-proficient developers and their managers who follow this framework to safely leverage AI coding tools from the start of the development cycle can increase the quality and security of their code tenfold.
And those who don’t? Well, sadly, the risk profile will only continue to grow, and security leaders will continue to contend with a cyber skills gap expanding at a similar pace.
Table of contents
Chief Executive Officer, Chairman, and Co-Founder
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Secure code training topics & content
Our industry-leading content is always evolving to fit the ever changing software development landscape with your role in mind. Topics covering everything from AI to XQuery Injection, offered for a variety of roles from Architects and Engineers to Product Managers and QA. Get a sneak peak of what our content catalog has to offer by topic and role.
Cyber Resilience Act (CRA) Aligned Learning Pathways
SCW supports Cyber Resilience Act (CRA) readiness with CRA-aligned Quests and conceptual learning collections that help development teams build the Secure by Design, SDLC, and secure coding skills aligned with the CRA’s secure development principles.
%20(1).avif)
Resources to get you started
Cyber Resilience Act Explained: What It Means for Secure by Design Software Development
Learn what the EU Cyber Resilience Act (CRA) requires, who it applies to, and how engineering teams can prepare with secure by design practices, vulnerability prevention, and developer capability building.
