• Zenity Labs
  • Posts
  • Links and materials for Scaling AppSec With an SDL for Citizen Development

Links and materials for Scaling AppSec With an SDL for Citizen Development

Links, demos, tools and slides for BlueHat 2024

Author

Michael Bargury
October 30, 2024

This is a post with all of the links and additional materials for a talk with Microsoft’s Don Willits at BlueHat 2024 titled Scaling AppSec With an SDL for Citizen Development.

Abstract:

Application security programs are difficult. Filled to the brim with vulnerabilities. Overloaded staff and inadequate budget. Challenging communication with developers. The common “solution” is to narrow scope and focus on crown jewel applications and their developers, playing on relative easy mode. What if instead we increase the scope to cover 100x developers and 1000x applications? Surprisingly, it works. In the first 4 months of 2024, our program remediated >95% of security vulnerabilities. 20% of them were remediated in a single night. In this talk, we will share insights from two years in the making of a security program for applications built by business users using GenAI and low-code/no-code tools, a.k.a. Citizen Development. We will share lessons learned and pitfalls not-avoided, and unique challenges for this kind of program. Applying SDLC to hundreds of thousands of citizen developers, with no security savvy. Working at 1,000x the AppSec scale relying on automation and guidance. Next, we will share the kind of vulnerabilities we see common in citizen development environments. Breaking access controls, allowing one user to impersonate another, leaking data to uncontrolled locations. We will demo exploits showing how they look like from the attacker's perspective. We will finish off sharing our adoption of the SDL for citizen development, and showcase the OWASP Low-Code No-Code Top 10 as a framework to help you focus your program.

Table of Contents

Resources

Slides

Slides are available here.

Demos

Tools

Modules: Copilot Studio Hunter ‐ Deep Scan

An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform - mbrg/power-pwn

github.com/mbrg/power-pwn/wiki/Modules:-Copilot-Studio-Hunter-%E2%80%90-Deep-Scan

Modules: Copilot M365 ‐ Dump

An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform - mbrg/power-pwn

github.com/mbrg/power-pwn/wiki/Modules:-Copilot-M365-%E2%80%90-Dump

Reply

or to participate.