AI-ENHANCED THREAT MODELING IN THE DESIGN PHASE OF THE SOFTWARE DEVELOPMENT LIFE CYCLE: A CASE STUDY AT PT. XYZ

Abstract

This thesis presents a qualitative case study on the design and perceived utility of an AI-Enhanced threat modeling approach intended to enhance security during the design phase of the Software Development Life Cycle (SDLC) at PT. XYZ, a financial technology company. Traditional threat modeling processes are often manual and dependent on limited security expertise, creating significant challenges in fast-paced development environments. To address this, this research explores the development of a novel AI tool and seeks to understand the lived experiences and perceptions of its intended users. Grounded in a constructivist worldview, this study employs a qualitative case study design to conduct an in-depth exploration of the phenomenon within its real-world context.1 The research involved two key stages: first, the design and development of an AI agent capable of automating threat identification (STRIDE) and risk assessment (DREAD) from design artifacts; and second, a series of semi-structured interviews with software engineers and architects at PT. XYZ. Thematic analysis of the interview data revealed key insights into the perceived value of the AI-Enhanced framework. Participants highlighted its potential to significantly improve the efficiency and comprehensiveness of threat modeling, viewing it as a valuable "expert assistant" that could empower development teams. However, they also emphasized the indispensable role of human oversight to ensure contextual accuracy and to build trust in the tool's outputs. This study contributes a rich, contextualized understanding of how AI tools can be integrated into secure software development, providing practical insights for organizations seeking to foster a more proactive security culture.