LLM-Assisted Application Security — Doctoral Pitch by Emil Marian Pașca

News

PhD candidate Emil Marian Pașca (UTCN, scientific coordinator Prof. Dr. Eng. Oliviu Matei) pitched his doctoral research: LLM-Assisted Application Security.

The problem

Modern applications expose increasingly large attack surfaces — APIs, microservices, IoT endpoints, third-party integrations. Traditional security testing depends on rule-based scanners and hand-written test suites that struggle to keep up with the pace of development and the complexity of authorisation logic. Critical vulnerability classes such as Broken Object Level Authorization (BOLA) are notoriously hard to catch with classical tools.

The approach

The research investigates how Large Language Models (LLMs) can augment security testing — by interpreting API specifications, generating context-aware test cases, identifying suspicious authorisation patterns and proposing targeted attack scenarios. The work integrates LLM-driven test generation with Retrieval-Augmented Generation (RAG) techniques and the Karate DSL framework for automated test execution.

Concrete results

Several peer-reviewed publications have already emerged from this work within the COSA project:

  • Augmenting API Security Testing with Automated LLM-Driven Test Generation — CISIS 2024;
  • Enhancing API Security Testing against BOLA and Authentication Vulnerabilities through an LLM-Enhanced Framework — SOCO 2024;
  • LLM-Driven, Self-Improving Framework for Security Test Automation: Leveraging Karate DSL for Augmented API Resilience — IEEE Access (Q2), 2025;
  • A Vulnerable-by-Design IoT Sensor Framework for Cybersecurity in Smart Agriculture — Agriculture (MDPI, Q1), 2025.

The doctoral work demonstrates how AI techniques originally developed for general-purpose language understanding can deliver concrete, measurable improvements in the specific and high-stakes domain of API security testing.

Presentation slides

View the full slide deck below — or open the PDF in a new tab / download.

If the PDF does not render in your browser, please use the "open" or "download" link above.

0 Comments