What question did this study set out to answer?

This research aims to improve vulnerability detection and risk assessment in secure software development through a new framework.

May 21, 2026Open Access

IRAS-SDLC: Lifecycle Risk Aggregation for Secure AI-Augmented Software Assurance Under RMF and Zero Trust

Key Points

This research aims to improve vulnerability detection and risk assessment in secure software development through a new framework.
Introduced the IRAS-SDLC framework integrating vulnerability likelihood with security metrics like CVSS.
Evaluated the framework's effectiveness in real-world software development scenarios with various codebases.
Demonstrated early risk identification during SDLC phases, focusing on requirements and design.
Maintained meaningful risk estimation under domain shift, improving reliability of predictions.
Achieved significant reductions in remediation costs, improving lifecycle outcomes by up to an order of magnitude.
Showed faster negative detection latency compared to conventional methods of vulnerability detection.

Abstract

Modern machine learning approaches for vulnerability detection achieve strong performance within specific datasets, yet their reliability degrades under domain shift, limiting their effectiveness for real-world secure software development lifecycle (SDLC) decision-making. In particular, probabilistic vulnerability predictions, while well-calibrated, exhibit instability across heterogeneous codebases, reducing their suitability as standalone risk indicators. This paper introduces Intelligent Risk-Adaptive Secure SDLC (IRAS-SDLC), a lifecycle risk aggregation framework for Secure AI-Augmented Software Assurance under the Risk Management Framework (RMF) and Zero Trust. The proposed framework integrates model-derived vulnerability likelihood with structured security metrics, specifically exploitability and impact derived from standardized Common Vulnerability Scoring System (CVSS) data, to construct a unified and interpretable risk representation. This formulation enables consistent prioritization across SDLC phases while aligning with RMF control families and Zero Trust continuous verification principles. By combining learned semantic signals with domain-independent security factors, IRAS mitigates the instability of vulnerability likelihood under distributional shifts and provides a more robust basis for cross-domain risk assessment. The framework embeds risk evaluation early in the SDLC, enabling proactive identification of vulnerabilities during the requirements and design phases rather than post-implementation detection. Empirical evaluation demonstrates that IRAS-SDLC maintains meaningful risk estimation under domain shift and significantly improves lifecycle outcomes. In particular, early risk identification yields negative detection latency relative to conventional methods and reduces simulated remediation costs by up to an order of magnitude. IRAS-SDLC bridges the gap between machine learning-based vulnerability prediction and governance-aligned security assurance by providing a stable, interpretable, and lifecycle-aware risk assessment mechanism that is directly compatible with RMF-based compliance workflows and Zero Trust architectures.

Read Full Paperexternally

Bookmark

View Full Paper

Cite This Study

Quaye et al. (Mon,) studied this question.

synapsesocial.com/papers/6a0ea188be05d6e3efb604fe https://doi.org/https://doi.org/10.3390/systems14050546

Bookmark

View Full Paper