A conference talk from NDC Security 2026 by a developer and an application security specialist demonstrating how to build secure and compliant APIs by design. The talk walks through a live code review of a REST API endpoint, identifying a broken object-level authorization (BOLA/IDOR) vulnerability missed during development. It then explores automating security reviews using GitHub Copilot review agents enriched with context (access model, OWASP ASVS controls, internal security policies). The presenters build an MCP server with RAG-backed indexes to provide compliance references (CIS controls mapped to ISO, PCI-DSS) alongside security feedback. Key takeaways include eight security review questions, the importance of context for AI agents, the non-deterministic nature of LLMs, and the continued need for humans in the loop.
Sort: