AI-assisted software development is shifting from isolated code completion toward specification-driven generation, where business requirements, technical specifications, and acceptance criteria become operational input for LLM-based development agents. This shift creates a security problem: functional behavior is described explicitly, while security behavior remains implicit, generic, or postponed to post-generation review, causing generated systems to satisfy visible functional requirements while failing to preserve authorization rules, ownership boundaries, input validation, token rejection, sensitive data handling, and abuse-case semantics. This paper proposes a security knowledge operationalization approach for AI-assisted specification-driven development, combining two contributions: a Multilayer Specification Security Model that represents security knowledge through traceable relations between system entities, threats, risks, requirements, implementation rules, controls, verification scenarios, and evidence; and a Security Knowledge Transition Method that transforms business and technical specifications into a validated security-enriched generation contract. We evaluate the approach through two empirical studies: a hidden-oracle study assessing whether an LLM-based pipeline can derive a structured security model from system context, and a backend generation study under three conditions: no explicit security requirements, ASVS-conditioned generation, and Multilayer Security Model conditioning. Evaluated against a hidden 221-test black-box API suite, modal failures decreased from 50 in the baseline to 42 with ASVS and 36 with the Multilayer Security Model, with the strongest improvements in application-specific categories such as business logic and admin safety.

翻译：AI辅助软件开发正从孤立代码补全转向规约驱动生成，其中业务需求、技术规格与验收标准成为基于LLM的开发智能体的可操作输入。这一转变带来了安全问题：功能行为被显式描述，而安全行为仍隐式存在、泛化处理或延至生成后审查，导致生成的系统虽满足可见的功能需求，却在授权规则、所有权边界、输入验证、令牌拒绝、敏感数据处理及滥用案例语义层面存在缺陷。本文提出一种面向AI辅助规约驱动开发的安全知识可操作化方法，包含两项贡献：多层规约安全模型，通过系统实体、威胁、风险、需求、实施规则、控制措施、验证场景及证据间的可追溯关系表征安全知识；安全知识迁移方法，将业务与技术规约转化为经过验证的增强安全生成合约。我们通过两项实证研究评估该方法：隐式预言机实验验证基于LLM的流水线能否从系统上下文推导结构化安全模型；后端生成实验在三种条件下展开——无显式安全需求、ASVS条件约束与多层安全模型约束。经包含221项测试的黑盒API套件评估，基线模态故障从50例降至ASVS组42例与多层安全模型组36例，业务逻辑、管理员安全等应用特定类别的改进最为显著。