How Alipay Uses AI to Revolutionize Its Application Security Lifecycle

Overview

Since 2016, Alipay's technical security team has built a full‑stack, end‑to‑end application security development lifecycle called Alipay‑SDL 1.0, aligning with industry security trends and regulatory requirements while continuously improving security operations, platforms, and tools to support rapid business growth.

With the "dual‑wheel" strategy driving digital payment and connectivity innovation, Alipay faces increasingly complex architectures and high‑performance development demands. AI, especially large‑model technology, provides a direction for technical evolution, enabling systematic design, AI‑driven tool upgrades, and operational efficiency gains.

Current State and Challenges of the Application Security Development Lifecycle

The original security development lifecycle consists of risk assessment and remediation across requirement analysis, design, coding, testing, and production, relying on security engineers, knowledge, and tools.

Key challenges include rising business cost understanding, increasingly complex security risks due to large‑model adoption, and a surge in security engineer workload as development speed accelerates.

Systematic Thinking for Intelligent Upgrade

Alipay introduces AI capabilities at every stage of the security lifecycle, treating the process as intellectual labor with three elements: security engineers, security tools, and business applications. Intelligent upgrades focus on:

Enhancing AI‑driven automatic understanding and representation of business applications.

Empowering security tools with stronger computational abilities to detect complex logic vulnerabilities.

Enabling security engineers to cross‑domain risk identification efficiently.

AI4SDL Practice

(1) Document Intelligence and Risk Element Extraction

Unstructured documents (requirements, designs, APIs) hold core business logic. Alipay built a multimodal large language model (MLLM) framework to transform these documents into a knowledge system, using dynamic structure‑aware chunking and retrieval‑augmented generation (RAG) for high‑quality semantic units.

Multimodal Document Pre‑processing : A high‑quality security knowledge corpus is created, and a dynamic chunking algorithm detects semantic boundaries across text, tables, code blocks, and charts, providing clean inputs for downstream models.

GraphRAG Knowledge Retrieval : LLMs construct a heterogeneous graph of security entities, and a Personalized PageRank algorithm re‑weights node relevance, improving recall of critical security nodes.

LLM‑Based Knowledge Evaluation : A benchmark generation‑filter pipeline creates synthetic Q&A sets, filtered by type, and evaluated by an LLM judge across accuracy, completeness, clarity, and richness, achieving over 20% improvement in knowledge recall.

(2) Code Risk Reasoning and API Semantic Annotation

Rule‑Driven Risk Reasoning System (RAC) : Integrates program analysis, knowledge graphs, and data engineering to map code logic to business requirements, building a billion‑node knowledge graph that standardizes code, APIs, and sensitive data.

Semantic‑Enhanced Code Risk Analysis : Uses MLLM to annotate API semantics, extracting SDK declarations and call points, generating multimodal prompts for LLMs to produce semantic contracts, achieving >70% annotation accuracy on HarmonyOS ArkTS SDK.

Multi‑Agent Collaborative Code Analysis (RAC Agent) : Decomposes risk analysis into specialized agents (data‑flow, permission check, sensitive operation) that coordinate via intent understanding and strategy generation, forming a macro‑plan‑micro‑execute‑dynamic‑optimize loop.

(3) Full‑Link Intelligent Operations

SDLHUB Change Perception Center : Provides real‑time perception, intelligent analysis, and collaborative handling of business and technical changes, using rule‑LLM collaboration to classify and respond to risks.

Full‑Link Visualization : Three‑layer visual chain—business behavior, system call, and data flow—enables precise risk tracing from user actions to underlying services.

SDLCopilot Intelligent Security Architecture : A four‑layer, platform‑centric design integrates natural‑language interfaces, multi‑agent orchestration, toolchain integration, and LLM‑enhanced infrastructure to achieve adaptive, intelligent security operations.

Future Outlook

Achieving near‑99% reliability for large‑model‑driven vulnerability detection remains a goal. Alipay’s HOP solution combines programmable SOPs with verification mechanisms to mitigate hallucinations, aiming to transition AI4SDL from a human‑in‑the‑loop to a fully autonomous security assurance system.

Conclusion

Alipay’s security team is building an AI‑driven lifecycle security system that systematically evaluates risks and enhances business security, setting a benchmark for the industry.