This is a post with all of the links and additional materials for a talk with Microsoft’s Ryan McDonald at RSAC 2025 titled Scaling AppSec With an SDLC for Citizen Development.
Abstract:
AppSec programs are difficult, filled with vulnerabilities. Overloaded staff and inadequate budget. The era of Citizen Development where non-IT folks develop code, often using LCNC tools, brings new challenges. The traditional approach of narrow scope and focus on crown jewels will no longer work. This session will reveal a solution to address increasing the scope to result in program remediation.
Resources
Deck: Available here
Talk: Your Copilot Is My Insider at RSAC 2025
Talk: Living off Microsoft Copilot at BHUSA 2025
Talk: All You Need Is Guest at BHUSA 2024
Demo: Scan your tenant for publicly-facing copilot bots with Copilot Hunter
Demo: Hijacking Microsoft Copilot to be your malicious insider
Demo: Spyware injection into ChatGPT’s long-term memory
Tool: Power Pwn, an offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform
Link: The GenAI Attacks Matrix
Link: Power Platform Docs
Link: OWASP LCNC Top 10
Link: OWASP LLM Top 10


