4 New AppSec Requirements in the Age of AI
None
<p><i>Get details on 4 new AppSec requirements in the AI-led software development era.</i></p><p>We all know AI is transforming software development, and software security. But in the midst of all the hype, fear, and information overload, what are the top 4 AppSec steps you should focus on today?</p><p>Our experts recommend the following:</p><p> </p><h2><span style="font-weight: normal;">AI discovery</span><span> </span><span></span></h2><p>AI visibility is now a key part of AppSec. The ability to identify AI-generated code, and where and how AI is in use in your software development environment has become critical.</p><p>You want to both discover AI in your environment, and create governance around how it’s used.</p><p>What exactly do you need to discover? Ultimately, all AI elements in your development environment – every model your developers are creating, every MCP they are using, and other components like AI services.</p><p>In addition, what AI-generating tools are in use? Cursor? Copilot? You’ll need to apply governance around these tools as well.</p><p> </p><p><img fetchpriority="high" decoding="async" src="https://www.legitsecurity.com/hs-fs/hubfs/VibeGuard%20Control%20Center.png?width=2880&height=3762&name=VibeGuard%20Control%20Center.png" width="2880" height="3762" alt="VibeGuard Control Center" style="height: auto; max-width: 100%; width: 2880px;"></p><p> </p><h2><span><span>AI-specific security testing </span></span></h2><p>AI-specific security testing has become vital as well. AI brings in some novel vulnerabilities and weaknesses that traditional scanners can’t find, such as training model poisoning, excessive agency, or others detailed in <a href="https://genai.owasp.org/llm-top-10/">OWASP’s LLM & Gen AI Top 10</a>.</p><p>You also now need the ability to identify low-reputation or malicious AI models in use.</p><p> </p><h2><span><span>Threat modeling </span></span></h2><p>As the risk to the organization is changing, so too must threat models. If your app now exposes AI interfaces, is running an agent, or gets input from users and uses the model to process it, you’ve got new risks.</p><p>Legit’s <a href="https://www.legitsecurity.com/advanced-code-change-management-in-software-development-for-safe-releases">Advanced Code Change Management</a> plays a role here. It can detect when a team is introducing a new AI component to their app, then alert the right people to threat model the app before it’s too late. You don’t want to discover a chatbot without the proper guardrails after it’s been deployed for months.</p><h2><span>Awareness of toxic combinations </span></h2><p>The use of AI in code development itself is not necessarily a risk. But when its use is combined with another risk, like lack of static analysis or branch protection, the risk level rises.</p><p>For instance, research for our <a href="https://info.legitsecurity.com/state-of-application-risk?_gl=1*8aljkj*_gcl_au*NDE2NzczNTM0LjE3NTkxNTExNzg.*_ga*MTY0Mzc4MzAzOC4xNzM1NTcwNTk1*_ga_5FM5NFNQMW*czE3NjM3NTYxMTYkbzEwOTUkZzEkdDE3NjM3NTYxNDMkajMzJGwwJGgxMTQwMDMyMTI3">2025 State of Application Risk report</a> revealed that, on average, 17% of repos per organization have developers using GenAI tools PLUS lack of branch protection or code review. </p><p> </p><p><img decoding="async" src="https://www.legitsecurity.com/hs-fs/hubfs/toxic-combo-branch.png?width=7013&height=6784&name=toxic-combo-branch.png" width="7013" height="6784" alt="toxic-combo-branch" style="height: auto; max-width: 100%; width: 7013px;"></p><p> </p><p>These “toxic combinations” require both discovering which development pipelines are using GenAI to create code, and then ensuring those pipelines have all the appropriate security measures and guardrails in place.</p><h2 style="font-weight: normal;">Learn more</h2><p>Get more details on <a href="https://info.legitsecurity.com/appsec-in-the-age-of-ai-report?_gl=1*115r0sb*_gcl_au*NDE2NzczNTM0LjE3NTkxNTExNzg.*_ga*MTY0Mzc4MzAzOC4xNzM1NTcwNTk1*_ga_5FM5NFNQMW*czE3NjM3NTYxMTYkbzEwOTUkZzEkdDE3NjM3NTYxODQkajU5JGwwJGgxMTQwMDMyMTI3">AppSec in the Age of AI</a> in our new whitepaper.</p><p> </p><p><img loading="lazy" decoding="async" src="https://track.hubspot.com/__ptq.gif?a=20956152&k=14&r=https%3A%2F%2Fwww.legitsecurity.com%2Fblog%2F4-new-appsec-requirements-in-the-age-of-ai&bu=https%253A%252F%252Fwww.legitsecurity.com%252Fblog&bvt=rss" alt="" width="1" height="1" style="min-height:1px!important;width:1px!important;border-width:0!important;margin-top:0!important;margin-bottom:0!important;margin-right:0!important;margin-left:0!important;padding-top:0!important;padding-bottom:0!important;padding-right:0!important;padding-left:0!important; "></p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/11/4-new-appsec-requirements-in-the-age-of-ai/" data-a2a-title="4 New AppSec Requirements in the Age of AI"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F11%2F4-new-appsec-requirements-in-the-age-of-ai%2F&linkname=4%20New%20AppSec%20Requirements%20in%20the%20Age%20of%20AI" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://www.legitsecurity.com/blog">Legit Security Blog</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Suzanne Ciccone">Suzanne Ciccone</a>. Read the original post at: <a href="https://www.legitsecurity.com/blog/4-new-appsec-requirements-in-the-age-of-ai">https://www.legitsecurity.com/blog/4-new-appsec-requirements-in-the-age-of-ai</a> </p>