This talk was recorded at NDC Security in Oslo, Norway. #ndcsecurity  #ndcconferences  #security  #developer   #softwaredeveloper    

Attend the next NDC conference near you: 
https://ndcconferences.com
https://ndc-security.com/

Subscribe to our YouTube channel and learn every day:  @NDC 

Follow our Social Media!

https://www.facebook.com/ndcconferences
https://twitter.com/NDC_Conferences
https://www.instagram.com/ndc_conferences

#applicationsecurity #programming #securitytools #testing #devops #owasp #api 

If you ask 10 developers for a code review, they will identify different issues, and many will miss security concerns like broken access control and lack of input validation.

How can a DevOps team in their daily work assert that new features do not introduce vulnerabilities, that security bugs get caught before deploy to production? What are the key questions to ask in a code review? And how can we show that the application code also aligns with requirements from compliance, well-known best practices and internal security policies?

This presentation will demonstrate how to build APIs that are both secure and compliant by design; using OWASP ASVS and support from an application security tuned coding agent.

Demos will be for an API in .NET with Copilot custom agents.

NDC Conferences

A conference talk from NDC Security 2026 by a developer and an application security specialist demonstrating how to build secure and compliant APIs by design. The talk walks through a live code review of a REST API endpoint, identifying a broken object-level authorization (BOLA/IDOR) vulnerability missed during development. It then explores automating security reviews using GitHub Copilot review agents enriched with context (access model, OWASP ASVS controls, internal security policies). The presenters build an MCP server with RAG-backed indexes to provide compliance references (CIS controls mapped to ISO, PCI-DSS) alongside security feedback. Key takeaways include eight security review questions, the importance of context for AI agents, the non-deterministic nature of LLMs, and the continued need for humans in the loop.

Secure and Compliant APIs - By Design - Daniel Sandberg & Tobias Ahnoff - NDC Security 2026