Enhancing Security Control Production With Generative AI

TL;DR

This paper presents a framework using Generative AI to rapidly generate security controls in Gherkin language, significantly reducing development time and improving efficiency for cloud security management.

Contribution

It introduces a structured approach leveraging large language models and retrieval-augmented generation to automate security control creation in Gherkin code.

Findings

Reduces security control development time from days to under a minute

Demonstrates effective use of GenAI on AWS cloud services

Enhances accuracy and efficiency of security control generation

Abstract

Security controls are mechanisms or policies designed for cloud based services to reduce risk, protect information, and ensure compliance with security regulations. The development of security controls is traditionally a labor-intensive and time-consuming process. This paper explores the use of Generative AI to accelerate the generation of security controls. We specifically focus on generating Gherkin codes which are the domain-specific language used to define the behavior of security controls in a structured and understandable format. By leveraging large language models and in-context learning, we propose a structured framework that reduces the time required for developing security controls from 2-3 days to less than one minute. Our approach integrates detailed task descriptions, step-by-step instructions, and retrieval-augmented generation to enhance the accuracy and efficiency of the generated Gherkin code. Initial evaluations on AWS cloud services demonstrate promising results, indicating that GenAI can effectively streamline the security control development process, thus providing a robust and dynamic safeguard for cloud-based infrastructures.