How to Use "AI" For Security Code Reviews

In this video, I go through a demo showing how to use AI (Claude Code in this demo) to perform security code review in a way that starts with a definition of security for the codebase by identifying the relevant threats, and their suggested mitigations, and ends with finding potential security issues when these suggestions are not followed. Blog: https://medium.com/appsec-untangled/how-to-use-ai-for-security-code-reviews-609440e6a16e Hope you find it useful! 0:00 Introduction 1:57 A Mental Model for Security Issues 2:20 Category 1: Business Logic Vulnerabilities 5:50 Category 2: Source-Sink Vulnerabilities 10:36 Demo Setup: Introducing the Application 12:06 Step 1: Understanding the Architecture with AI 14:09 Step 2: Building the Threat Model with AI 15:40 Deep Dive: Insecure Deserialization via Pickle (Threat Exploration) 23:14 Step 3: Generating the Security Wiki 29:48 Step 4: Creating the AppSec Review Skill 31:49 Step 5: Running the Review on a Real Pull Request 35:55 Live Finding: Missing Authorization Checks 39:09 Key Takeaways & How to Tune the Skill 41:42 Wrap Up #AppSec 🛡️ #ApplicationSecurity 🔐 #SecurityEngineering 🧠 #DevSecOps ⚙️ #ThreatModeling 🧩 #SecureByDesign 🏗️