Although software development processes have been substantially optimized in recent years, security breaches continue to represent a major risk factor for companies. Digital transformation processes that do not implement security as a pillar tend to generate reprocesses and additional costs for remediation, in the worst cases, information leaks, ransomware attacks, denials of service, and other cyber-attacks that generate strong reputational, legal, or monetary impact. Over the years, secure development practices have evolved, and today frameworks help to intrinsically prevent vulnerabilities. Application Security Programs have also emerged, which are a mechanism that encompasses the policies, guidelines, processes, tools, and people that companies implement to protect their applications. Increasing the maturity level of an application security program requires automating activities and defining novel ways to challenge application security. One of the mechanisms in ague to automate security activities is Artificial Intelligence, with the advent of Large Language Models it is possible to solve tasks in each phase of the software life cycle, reducing the time spent by companies to generate secure systems. On the other hand, through Security Chaos Engineering it is possible to discover new forms of risk that are not easily discovered through traditional pen-testing methods or automated tools, which improves the security posture of applications. This master thesis generates a series of contributions that allow companies to improve their Application Security Programs. This work introduces ideas on early threat identification by applying Natural Language Processing on user stories, demonstrates the automation of threat models based on attack-defense trees using Large Language Models, and proposes Security Chaos Engineering use cases applicable to DevSecOps practices.
