- Zenity Labs
- Posts
- Links and materials for Scaling AppSec With an SDL for Citizen Development
Links and materials for Scaling AppSec With an SDL for Citizen Development
Links, demos, tools and slides for BlueHat 2024
This is a post with all of the links and additional materials for a talk with Microsoft’s Don Willits at BlueHat 2024 titled Scaling AppSec With an SDL for Citizen Development.
Abstract:
Application security programs are difficult. Filled to the brim with vulnerabilities. Overloaded staff and inadequate budget. Challenging communication with developers. The common “solution” is to narrow scope and focus on crown jewel applications and their developers, playing on relative easy mode. What if instead we increase the scope to cover 100x developers and 1000x applications? Surprisingly, it works. In the first 4 months of 2024, our program remediated >95% of security vulnerabilities. 20% of them were remediated in a single night. In this talk, we will share insights from two years in the making of a security program for applications built by business users using GenAI and low-code/no-code tools, a.k.a. Citizen Development. We will share lessons learned and pitfalls not-avoided, and unique challenges for this kind of program. Applying SDLC to hundreds of thousands of citizen developers, with no security savvy. Working at 1,000x the AppSec scale relying on automation and guidance. Next, we will share the kind of vulnerabilities we see common in citizen development environments. Breaking access controls, allowing one user to impersonate another, leaking data to uncontrolled locations. We will demo exploits showing how they look like from the attacker's perspective. We will finish off sharing our adoption of the SDL for citizen development, and showcase the OWASP Low-Code No-Code Top 10 as a framework to help you focus your program.
Table of Contents
Resources
Slides
Slides are available here.
Demos
Scan your tenant for publicly-facing copilot bots with Copilot Hunter
Spear phishing with Microsoft 365 Copilot manually and automated
Tools
Links
LCNC Shared Responsibility Model Whitepaper (forthcoming)
Reply