Automating Security Workflows with Agents

Security reviews are often a complex dance, bringing together various experts, each with their unique insights and tools. This article explores a simple way to automate these intricate workflows using Agentic frameworks, specifically Microsoft AutoGen. We'll delve into a solution that mirrors the collaborative spirit of a human security team, empowering specialized agents acting as experts in application security, compliance, legal, and operational risk management to tackle open-ended security questions. This system, accessible via FastAPI endpoints and a user-friendly web interface, shows how automated agents can perform high-level analysis, gather information from diverse sources, and craft unified responses, significantly boosting efficiency, consistency, and scalability in security operations.

1. Introduction: The Challenge of Open-Ended Security Reviews

Traditional security reviews can be a time-consuming and often manual effort. They demand input from multiple specialists, each with their specific knowledge and preferred tools. This can lead to lengthy assessment times, and difficulties in scaling as demands grow. Imagine an open-ended security query—like deciding if a new third-party dependency can be used in a project. This usually involves:

• Application Security Experts: To check for vulnerabilities and best practices.
• Compliance Specialists: To ensure regulatory adherence.
• Legal Professionals: To review licensing terms and intellectual property.
• Risk Management Analysts: To identify and quantify operational and business risks.

Each expert would consult their sources (internal databases, commercial tools, open-source intelligence) and apply their unique analytical methods. Our aim is to automate a workflow that accurately reflects this multifaceted expertise, offering the depth of a human team without the inconsistencies and delays of manual processes.

2. Why Agents?

The most effective way to capture the expertise and toolsets of individual security specialists is through Agentic frameworks. These frameworks let us create autonomous or semi-autonomous agents, each with defined roles, responsibilities, and access to specific tools, code, or APIs. This approach is a great fit for complex, open-ended queries that need diverse inputs and collaborative problem-solving.

For this example we will use Microsoft AutoGen because it is great at creating 1:1 teams with agents, each having distinct roles and skills. In AutoGen, roles are defined as system prompts, detailing each agent's responsibilities, while skills are a set of tools, code, or APIs linked to each role based on its needs.

Having your own configuration within an Agentic framework like AutoGen, which combines the power of a Large Language Model (LLM) with your specific instructions and custom code, gives you a high degree of accuracy and control over how information is fetched, processed, and presented. This includes the ability to:

• Implement proprietary behaviors for specific roles.
• Integrate with specific internal or external data sources.
• Develop cross-verification capabilities to boost reliability.
• Introduce mechanisms to control hallucinations, a common challenge with generic LLMs.

This makes it ideal for simulating expert human collaboration with custom logic and data sources, crucial for security applications where precision and context are key.

3. Solution Overview: Automating Security Workflows

This example streamlines routine security assessment workflows by orchestrating multiple expert agents using Microsoft AutoGen and making interactive endpoints available via FastAPI. The system allows users to submit assessment requests through a modern web interface and watch the workflow unfold step-by-step, much like a real security team collaborating.

Microsoft also makes agent configuration simpler with AutoGen Studio. This intuitive UI lets users easily configure agents, define intended workflows, and quickly refine them. Once a workflow is finalized in AutoGen Studio, its configuration can be smoothly moved into a dedicated application using the AutoGen framework.

In our setup, we've created FastAPI endpoints to enable interaction with the autogen workflow. This allows for flexible integration with various external interfaces, such as Chat apps (teams,etc), Email services, Mobile apps or Simple web interfaces

For this example, we've built a simple web interface to interact with FastAPI endpoints, providing a clear visual representation of the automated security assessment.

4. High-Level Structure

The example follows a simple structure that is organized for easy maintenance and uses OpenAI for LLM needs.

autogen_security_app/
├── fastapi_app.py        # FastAPI app endpoints for assessment
├── security_team_app.py  # Core logic for running the AutoGen workflow
├── autogen_config.py     # Agent and workflow configuration for MS AutoGen
├── autogen_skills.py     # Custom skills/functions for agents
├── requirements.txt      # Python dependencies
├── .env                  # API keys and secrets
├── templates/
│   └── index.html        # Modern web UI for submitting and viewing assessments
        

5. Implementation : Agentic Team in Action

At the heart of our solution is the smart orchestration of specialized agents, each designed to handle a specific part of a security review. This section provides a high-level overview of the agent configuration, API integration, and the user interface.

For this example, we'll simulate a common scenario: responding to an email query about whether a third-party dependency can be used in a project. This request typically involves analysis across several domains before a deeper investigation is needed. Our agents will perform this initial analysis within their areas of expertise and then consolidate a unified response for the requestor.

The agents involved in this workflow, along with their roles and responsibilities, are clearly defined:

• Agent Configuration: All agents (e.g., Security Assistant, Security Risk Agents, License Risk Agents, Operational Risk Agents, Collaboration Agent) are defined in autogen_config.
• Custom Skills: Functions for querying various sources (e.g., open, internal, commercial endpoints) and data processing logic are implemented in autogen_skills and linked to the respective agents.
• Workflow Logic: The main workflow is orchestrated in security_team_app, where the user query is processed, agents interact, and result is processed.

Here’s a breakdown of the key agents and their roles in our example:

• Orchestrator Agent (e.g., Security Assistant): This agent extracts useful information from the input email or message, understands the query, and assigns tasks to relevant agents. Its responsibilities include identifying core components (like component name, version, and applicable license) from the initial request and sending this information to the appropriate downstream agents for specialized analysis.
• Security Risk Agents (AgentSec 1, 2, & 3): These act as expert cybersecurity analysts. Their role is defined with extensive detail in the lines of : "You are an expert cybersecurity analyst. Your task is to synthesize information regarding potential security issues for the provided dependency...." These three separate agents each use distinct sources (e.g., open-source vulnerability databases like NVD, commercial security endpoints like Snyk, and internal vulnerability management databases) and custom skills (code) to gather information on applicable security issues.
• License Risk Agents (AgentLegal 1 & 2): Serving as legal experts specializing in open-source licensing, their role is outlined in detailed system messages on the lines of: "You are a legal expert with responsibility to assess the licensing implications of software dependencies for...." These two agents each leverage their own external and internal sources. One identifies applicable risks from public online license databases, while the other refers to internal organizational legal guidelines and policies on software licenses.
• Operational Risk Agents (AgentOpr 1 & 2): These agents function as operational risk assessors. Their role is specified as: "You are an expert in operational risk management. Your task is to identify and evaluate potential operational risks associated with integrating a new software component and...." Using commercial endpoints and internal policies, these agents identify potential operational risks (e.g., maintainability, support, supply chain risks) related to the dependency.
• Collaboration Agent (e.g., Summarizer): This agent serves as an information synthesist and communication specialist. Its role is: "Your task is to consolidate complex technical and legal information from various expert agents into a clear, concise, and actionable summary for..." Its responsibilities include receiving inputs from all specialized agents, aggregating the findings, and synthesizing them into a simple, user-friendly output that answers the requestor's query in a templated way and suggests further action items if needed.

It's crucial to define agent roles in a detailed and unambiguous manner to ensure consistency and predictability with the output. The examples given above are small excerpts from how system messages need to be configured. Feel free to experiment based on your specific needs.

5.2. Interface

Agent workflow is made accessible through FastAPI, offering flexible integration. A dedicated endpoint (/security_assessment) handles user queries and results to a straightforward web interface.

Here's a look at how this setup works:

6. How the Workflow Looks

• The Orchestrator kicks off the process, delegating specific tasks to other specialized agents.
• The Security Risk Agents independently dive into vulnerability databases and internal security reports.
• The License Risk Assessors meticulously review legal terms and organizational policies.
• The Operational Risk Assessors evaluate non-technical risks and potential impacts.
• Finally, the Collaboration Agent pulls all findings together into a clear, actionable report.

This mirrors how a real security team would collectively handle a query, but with the added perks of automation and standardization. Teams can refer to this information to decide if further manual analysis is needed or not.

Key Advantages and Considerations

Agent-based approach offers clear benefits. It significantly boosts efficiency by automating repetitive security tasks, freeing up valuable time and resources for strategic initiatives. You'll also see improved consistency through standardized processes, reducing human error and ensuring high-quality results. It is designed for scalability, allowing teams to handle more requests as needed, and its extensibility means you can easily add new expertise and tools. This example provides a single, unified interface for complex security workflows and enables non-experts to benefit from expert-level analysis, ultimately accelerating decision-making for security approvals and risk mitigation.

However, be mindful of a few considerations. The system's effectiveness relies heavily on agent quality, requiring continuous refinement. Complexity can also be a factor in debugging multi-agent workflows. Lastly, watch out for possible inaccuracies; ongoing monitoring and mechanisms like cross-verification are crucial to control LLM hallucinations and maintain factual accuracy.

7. Conclusion

This example has been an exploration into how Agentic frameworks like Microsoft AutoGen can help automate and orchestrate complex workflows quickly. By thoughtfully designing intelligent agents to mimic the collaborative spirit of a human expert team, we've seen how it's possible to build a system that supports faster and consistent security processes which are aligned to traditional manual approaches. Agent-powered automation can truly empower teams to manage their operations more effectively, offering a path to more accessible, repeatable, and efficient expert-level assessments.