Software Engineering 1.0 Redux

Overview

This section is hands on end2end turning the thoughts on Software Engineering 1.0 Redux from the previous pages into reality.

Phases are shown in chronological order - note that a second security review was done based on a newly published OWASP guide.

Phase	Input	Chat History	Output
Exploratory	-	-	Pre-existing documentation
Planning	Pre-existing documentation	Chat history	Product Brief, PRD, UX requirements, Architecture document.
Security Review	Product Brief, PRD, UX requirements, Architecture document.	Chat history	- Security review documents - Changes to the architecture document by the architect based on the security agent's findings
Document Preparation for development consumption	- PRD - Security Story Report from Security Analyst	- Chat history - Chat history	- User Stories - Security Stories ("S-" prefix)
Security Review	Newly published Securing Agentic Applications Guide, OWASP Gen AI Security Project - Agentic Security Initiative Version 1.0 July 28, 2025	- Chat history	- Changes to the architecture document, and security documents, based on the security agent's review of the newly published OWASP guide - Changes to 2 Security Stories
Core Development Cycle	- User Stories - Security Stories ("S-" prefix) - Security Test Cases		Coming soon...
Code Review	Deliberately Vulnerable test app for test and demo purposes	-	Vulnerability Report that includes independent analysis and triage of results, and confidence levels

Summary table of the SW Engineering 1.0 Redux phases

Software Security Touchpoints

Image from Secure Programming with Static Analysis by Brian Chess, Jacob West

Phase: Existing Exploratory Documentation

In the exploratory part of the project at the start I had some existing documentation:

1. A Cost Analysis was created by using
   1. ChatGPT and Gemini Reasoning models to create an analysis
   2. Getting them to cross-review each other's output and amending their own output as a result
   3. Then taking the amended ChatGPT version as it was more succinct which is what I was looking for.
   4. The cost analysis was a back-of-napkin effort to understand likely operational costs early to see if these were a show-stopper or not.
2. Research Documents using ChatGPT and Gemini Research models and Anthropic
3. ADRs using an existing competed example I liked, and redoing it for the architecture decisions I had made using ChatGPT and Gemini Reasoning models and Anthropic.
4. Some Functional Requirements and use cases and user stories (in a Doc format) from MITRE CWE team.

Phase: BMAD The Planning Workflow

Having reviewed and played with some of the SWE agents, the BMAD-Method was closest to my views on Software 1.0 Redux, so this is used here.

There's 2 BMad Workflows:

• The Planning Workflow
• The Core Development Cycle

See the updated BMAD flows detailing the Security activities I added:

• The Planning Workflow
• The Core Development Cycle

BMAD The Planning Workflow

BMAD method breaks down the requirements and other upstream artifacts into epics and stories, enabling Claude Code to generate structured code and docs with little human intervention (Level 4 Autonomy).

Key Planning Phases

• Optional Analysis: Analyst conducts market research and competitive analysis
• Project Brief: Foundation document created by Analyst or user
• PRD Creation: PM transforms brief into comprehensive product requirements
• Architecture Design: Architect creates technical foundation based on PRD
• Validation & Alignment: PO ensures all documents are consistent and complete
• Refinement: Updates to epics, stories, and documents as needed
• Environment Transition: Critical switch from web UI to IDE for development workflow
• Document Preparation: PO shards large documents for development consumption

Here we build the Upstream Software Engineering Artifacts.

Specifically these are the artifacts that are built with the workflow below.

Setup

The BMAD-METHOD is used.

Specifically, the Fastest Start: Web UI Full Stack Team at your disposal part where you create a Gemini GEM with a BMAD-provided text file.

• All these documents are created via a browser interface (Gemini GEM) so the process is IDE-independent!
• Gemini's long-context window allows it to keep the various documents produced in context so it can make consistent changes across them all.

Tip

The created files are available via

• the Google Gem Canvas
• the prompt response when you request a specific document

Observation

I was impressed how well this setup worked!

• following a logical workflow and prompting for choices or input at each stage (and not getting lost)
• allowing me to request Gemini Gem to output a document at any time (so I could review and version control it before changes)
• allowing me to refine the content or ask questions across all the documents as required e.g. if I suggested a change that impacted multiple documents then this was detected by Gemini and the updates made. This ensured consistency across the artefacts.

Some choices / decisions were delibertate postponed e.g. data exchange formats and schemas per Principle #3 - Assume variability; preserve options. This results in a PARTIAL Status at this point.

Interaction with BMAD Gemini Gem

Success

See the full chat history of creating a Product Brief, PRD, UX requirements, Architecture document.

Tip

I worked the pre-existing document content into the The Planning Workflow by providing the content to the BMAD Persona at the relevant time via the prompt.

Phase: Security Review

BMAD-Method did not have a dedicated Security persona or security documents (but does include some basic security checks)

Other Threat Modeling solutions could be used to create these security documents

• See example security artifacts

Tip

The different Threat Modeling solutions had different features I liked, so I decided to build a BMAD Method Security Agent with all the features I wanted.

The BMAD Method Security Agent fits in the BMAD Planning Workflow

• It reviews the existing documents, creates security documents including threat models, security test cases, and security updates to the architecture document.
• Unlike the other solutions, this Security Agent can also be used during the code implementation phase.

Adding a BMAD Method Security Agent

I added a Security Agent to BMAD per commits from Crashedmind. The commit descriptions give the details.

You can browse through the files e.g.:

• Security Agent
• Security Tasks

Tip

The Security Agent creates these Security review documents

Document	Description
security_assessment.md	Initial security assessment and analysis
threat_model.md	Complete STRIDE threat model
dread.md	Quantitative DREAD risk assessment
security_story_report.md	Actionable security user stories
https://github.com/CWE-ChatBot/CWE-ChatBot/tree/main/docs/security/bmad_fullagent_security/security_test_cases.md	Security test cases and validation scenarios
security_architecture_checklist.md	Architecture checklist validation
compliance_audit.md	GDPR compliance audit

Building the Bundles

The builder gathers all the relevant files for all the agents into single files in https://github.com/CyberSecAI/BMAD-METHOD/tree/feature/add-new-agent-security/dist/teams

• e.g. team-fullstack.txt contains all the agents including security, and all the other files they need.

Create a Gemini Gem with the FullStack team

• https://gemini.google.com/
• Explore Gems
• New Gems
• CopyNPaste team-fullstack.txt into instructions
• Save

Using the BMAD Method Security Agent via the Gemini Gem with FullStack team

1. Collate the project brief, prd, architecture etc... md files into one file (e.g. using gitingest)
2. At the prompt say "here's my existing documentation" and copyNpaste the collated md file into the prompt
3. Click the Submit Arrow
4. The workflow kicks off

Success

See the

• full chat history using the Security Agent.
• full chat history creating and using the Security Agent (Video)
• output security artifacts.

• changes to the architecture document by the architect based on the security agent's findings

  • "| July 23, 2025 | 2.0 | Integrated security agent's findings (WAF, AI Guardrails, DoS Protection, Enhanced Logging). | Winston (Architect) |"

Document Preparation for development

Key Planning Phases

When to move to the IDE: Once you have your PRD, Architecture, optional UX and Briefs - its time to switch over to the IDE to shard your docs, and start implementing the actual code!

Coming soon..

Phase: Core Development Cycle

Coming soon..

Other Claude Code Workflows

There are other Claude Code workflows, some example are given here.

UI Designer

https://www.youtube.com/watch?v=TyGx277x9hQ

Retrospectives

https://www.youtube.com/watch?v=ai_sSQH1Pn4&t=478s

Multitasking

https://www.geeky-gadgets.com/how-to-use-git-worktrees-with-claude-code-for-seamless-multitasking/

There are UI tools built on GIT worktrees to support this.

Other non-Claude Code Workflows

Accessibility

https://github.com/scragz/kornelius/blob/main/prompts/audit/a11y.prompt

References

1. https://harper.blog/2025/02/16/my-llm-codegen-workflow-atm/
2. https://www.geeky-gadgets.com/how-to-use-git-worktrees-with-claude-code-for-seamless-multitasking/
3. https://github.com/ryoppippi/ccusage
4. https://github.com/eyaltoledano/claude-task-master/blob/main/docs/tutorial.md
5. https://www.reddit.com/r/vibecoding/comments/1lu37up/vibecoding_is_straight_chaos_without_instructions/
6. https://www.reddit.com/r/vibecoding/comments/1l5o93n/lets_talk_about_security/