This is a post with all of the links and additional materials for a talk with Microsoft’s Ryan McDonald at RSAC 2025 titled Scaling AppSec With an SDLC for Citizen Development.

Abstract:

AppSec programs are difficult, filled with vulnerabilities. Overloaded staff and inadequate budget. The era of Citizen Development where non-IT folks develop code, often using LCNC tools, brings new challenges. The traditional approach of narrow scope and focus on crown jewels will no longer work. This session will reveal a solution to address increasing the scope to result in program remediation.

Resources

• Deck: Available here

• Blog: Scaling AppSec With an SDL for Citizen Development

• Talk: Your Copilot Is My Insider at RSAC 2025

• Talk: Sure, Let Business Users Build Their Own. What Could Go Wrong? at BHUSA 2024

• Talk: Living off Microsoft Copilot at BHUSA 2025

• Talk: All You Need Is Guest at BHUSA 2024

• Demo: 6 Microsoft Copilot Vulnerabilities in 4 Minutes

• Demo: Scan your tenant for publicly-facing copilot bots with Copilot Hunter

• Demo: Hijacking Microsoft Copilot to be your malicious insider

• Demo: Spyware injection into ChatGPT’s long-term memory

• Tool: Power Pwn, an offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform

• Link: The GenAI Attacks Matrix

• Link: Power Platform Docs

• Link: Microsoft Security Development Lifecycle (SDL)

• Link: OWASP LCNC Top 10

• Link: OWASP LLM Top 10