Authors: Brian Smitches, Head of Partner Deployed Engineering at Windsurf | Jin Wong, Partner Deployed Engineer at Windsurf | Tarak, Growth at Aikido
Modern development teams do far more than simply write code. Now, with the help of AI, software development organizations are orchestrating its creation, maintenance, and delivery at a bigger scale than ever before.
Tools like Windsurf and Devin from Cognition help developers across the Software Development Lifecycle (SDLC) by augmenting people with multi-step reasoning agents that can write code. Windsurf helps you get hands-on in your code base in your local machine’s IDE while Devin (the world’s first AI Software Engineer) helps you delegate work to fleets of autonomous agents, ultimately multiplying the volume of output per engineer.
While increased development velocity is core to the value proposition of these AI tools, security-conscious customers want to ensure that using AI tools does not introduce additional risk. Mitigating unintended consequences such as misconfigurations, vulnerabilities, or exploitations is critical to ensure you can stay secure at the speed of innovation. This is where dedicated developer security platforms like Aikido Security fit in.
This article explores how to embed security directly into your AI-enabled SDLC and development pipelines using tools like Windsurf (AI enabled IDE), Aikido (developer-first security), and Devin (autonomous agent). Together the right tools, people, and processes ensure you develop software efficiently with a high security posture.
Why Your SDLC Needs a Security-First Foundation
In the absence of a strong security posture, organizations face risks with or without AI tooling. These include but are not limited to:
- Data breaches
- Insider threats
- Software supply chain attacks
- Adversarial exploits
Many enterprises have adopted DevSecOps or SecDevOps processes to embed security practices across the full development pipeline. Ensuring security measures are a forethought rather than an afterthought protects against financial losses, regulatory penalties, and reputational damage.
AI systems are very intelligent when they incorporate the right context awareness and prompt engineering. AI offerings like Windsurf and Devin allow customers to define customized behavior for the AI to help you address security concerns proactively and reactively. When you augment your AI agents with context and tools from security offerings like Aikido, you unlock benefits like shifting security left, triaging vulnerabilities in real-time with an autonomous agent, and mature your overall DevSecOps pipeline.
AI-Powered IDEs: Where Secure Development Begins
Windsurf brings Cascade, a collaborative AI agent, right into your IDE to minimize disruption to normal development processes. The agent can be used in the Windsurf Editor (based on VS Code) or as a plugin to the JetBrains suite of IDEs.
.gif)
Cascade understands the context of your codebase, can plan and implement multi-file edits, and provide inline code suggestions. Critically, at its core, Windsurf was built with human-in-the-loop philosophy in mind to guard against fully autonomous AI in a traditionally hands-on development environment.
With developers in command of their workflows and how they collaborate with the AI, developers realize the benefits of agentic software development without giving up control. The human can review AI suggested changes one code snippet at a time and can optionally revert to previous checkpoints in their conversation. The seamless partnership between human developer and coding agent creates an intuitive flow that can improve your security and efficiency.
Windsurf further enhances Cascade by providing mechanisms for users to define unique standards and security practices for their day-to-day development to the AI agent. With Windsurf Customizations, Cascade adapts to team-specific guidelines, coding norms, and implementation details. Windsurf Rules let you codify style and structure across your workspace, while Windsurf Workflows turn repetitive prompting patterns into reusable, shareable playbooks.
AI that is further customized and enabled with security tooling like the Aikido Windsurf plugin helps user-written software conform to your security standards and best practices.
Autonomous Agents: How to leverage additional AI software engineers
While developers will always be necessary for mission-critical and creative tasks, autonomous agents such as Devin are increasingly gaining popularity for more well-scoped, repetitive tasks. You can think of Devin as an AI equivalent of a Junior Software Engineer that scales elastically as your software development demand changes.
Through Devin, customers are executing large-scale migrations in record time, chipping away the endless backlog of bugs and feature requests, and automatically triaging flagged vulnerabilities
Overall, Devin helps organizations move faster by reducing the burden on existing development teams and organizations trust Devin through its diligence in running tests and local security scanning tools before initiating Pull Requests.
As Devin is designed to work in a 1:M fashion, it’s integrated into existing work collaboration systems, such as Jira, Slack, and Linear, where it can receive assigned tasks. Once Devin completes its task, it creates a Pull Request and an audit log of all of its research and work so developers can review the session. Additionally, reviewing resulting pull requests in their Source Code Management tool with security tools like Aikido can help you increase confidence in shipping the code output.
Now, your engineers can stay focused on ambiguous or high-risk tasks, while your fleet of agents respond to feature requests, bugs, and identified security vulnerabilities from security systems like Aikido.
The Role Aikido Plays
While moving fast in AI-powered IDEs and orchestrating software development with autonomous agents, Aikido ensures that speed does not come at the expense of security.
In any development environment, even those augmented by AI, security vulnerabilities will inevitably occur. A committed config file might include a test API key. Dockerfiles used for local testing might inadvertently expose wide network access in staging. AI-generated routes intended for scaffolding can make it to production without authentication. Infrastructure-as-code templates might over-provision access. Even small details like verbose stack traces or hardcoded test credentials can result in real-world vulnerabilities.
That’s why Aikido is built on the premise of securing software wherever you build, host, and run, catching vulnerabilities of all sizes before they become incidents
In practice, that means Aikido connects to your development tools and environments from IDEs and CI pipelines to build artifacts and cloud infrastructure, and continuously checks for vulnerabilities. It provides feedback directly in your existing workflows, whether that’s catching secrets before a commit, gating CI builds on critical issues, or surfacing dependency risks in a pull request. Aikido applies its own AI to help filter noise, prioritize high-impact findings, and automatically fix vulnerabilities across the SDLC.
By meeting developers where they already work, Aikido makes it easy to take action without breaking the dev flow. By catching issues early at every step, and even in real time, it allows teams to focus on what they do best: shipping great software. Teams can move at the full speed of AI-powered development, confident in the security of the code they write, generate, and ship.
How to use Windsurf and Aikido
Augmenting Windsurf and Devin with Aikido does not require any complex setup or integration. If Aikido is already connected to your remote repo, it will monitor commits and pull requests irrespective of whether the code was developed in Windsurf, by Devin, or by a developer in Notepad ++
Here’s how you can use the two tools together:
1. Inside the IDE: Code Smarter and Safer
Windsurf puts AI in your IDE. Aikido puts security there too. Whether the code comes from you or an AI agent, Aikido ensures the working tree meets your security standards in real time by helping you:
- Detect leaked secrets like tokens or credentials before they’re committed
- Flag risky logic such as raw SQL, shell calls, or weak input validation
- Highlight vulnerable dependencies like open-source libraries
With Aikido built into the IDE, you get immediate feedback without context switching, staying in the flow while also improving security.
2. In CI and PRs: A Second Set of Eyes
After code leaves the editor, Aikido monitors your CI pipelines and pull requests. It scans all changes, regardless of who or what wrote the code, helping you:
- Re-check for known vulnerabilities in code and dependencies
- Validate changes to infrastructure or service configs
- Block merges if critical issues are found
- Filter out low-priority noise so you only see what matters
Findings appear inline in the pull request or in CI status checks. That’s it, there’s no extra configuration needed!
3. At Build Time: Inspect What You Ship
Security goes beyond the source code. When you build containers or packages, Aikido shifts focus to the actual artifacts being produced by:
- Scanning images for outdated system packages and common vulnerabilities
- Flagging libraries introduced by code generation or copied examples
- Checking bundled code for license risks before release
- Works without needing you to declare what was AI-generated
This is where issues often surface from auto-included packages or template-based scaffolding that comes from third party application dependencies.
4. After Deploy: Watch the Cloud
Aikido monitors the environment where your app runs and checks for common mistakes in configuration through:
- Validating cloud setup across AWS, GCP, and Azure
- Detecting exposed services, public buckets, and weak permissions
- Checking Kubernetes, networking, and deployment configs
- No agents required and nothing to install
This is especially useful if infrastructure code generated by AI makes it into staging or production without a second look.
5. In Production: Tests Like an Attacker
Aikido can run real-world tests against your application while it’s live, just like a user or attacker might. Aikido can:
- Test routes and features using valid credentials
- Find injection risks, exposed endpoints, and missing access controls
- Detect undocumented or unintentionally exposed APIs
- Block suspicious traffic at runtime if enabled
This is where you catch issues that weren’t visible during code review but appear in how the app behaves when it’s live.
Ultimately, no matter what causes the security vulnerability, you should have a streamlined response plan that shifts security as left as possible. Aikido is here to surface the issues and help you address the risk by updating your source code manually in applications like the Windsurf Editor or via Devin.
Next Steps
When you’re ready to put these ideas into practice, we recommend the below starting points to understand how to leverage AI capabilities to develop secure software and applications:
- Get started with Windsurf: https://www.windsurf.com/university
- Scan your code with Aikido: https://integrations.aikido.dev/integrations/windsurf
- See Devin’s DeepWiki feature on public repositories at deepwiki.com
- Get started with Devin at app.devin.ai
- Check out Aikido’s Secure Development Practices: https://www.aikido.dev/learn/secure-development
- See Aikido’s secure vibe coding webinar: https://www.youtube.com/watch?v=xGDYPRPoFPA
A Final Thought
AI isn’t replacing developers, it’s augmenting them. But velocity without safety is a just reason for pause, so we recommend you improve your security mechanisms before maximizing velocity. Secure applications don’t emerge by chance; they’re the result of the combination of thoughtful design, capable tooling, and people’s prioritization.
Embedding security into every step, from prompt to production, is a critical input to help teams ship faster and safer.
.avif)
