SVP/Distinguished Engineer − Generative AI Red Teaming, Guardrails & Explainability @ U.S.Bank Krishna is a Technologist with broader experience in AI, Data Science, Security and Networks. Working on building intelligence - may be even a JARVIS ! Love to write, teach and develop... Read More →
In today’s interconnected world, organizational silos pose a significant challenge to effective application security (AppSec). These silos—rooted in specialization, control structures, and cultural divides—impede communication and collaboration, weakening overall security efforts. This presentation will explore the causes and impacts of organizational silos on security programs and demonstrate how breaking these barriers can strengthen coordination and foster a unified security culture. Attendees will gain insights into why silos form, their detrimental effects on security initiatives, and actionable strategies to overcome them. Few Key Takeaways: Understanding Silos: How specialization and cultural divides create barriers. Impact on Security: The risks silos introduce to AppSec programs. Practical Strategies: Approaches such as cross-functional training, creating shared security visions, and initiating collaborative initiatives to dismantle silos. Building a Unified Culture: Empowering every team member, not just the security team, to contribute to application security.
Aruneesh Salhotra is a seasoned technologist and servant leader, renowned for his extensive expertise across cybersecurity, DevSecOps, AI, Business Continuity, Audit, Sales. His impactful presence as an industry thought leader is underscored by his contributions as a speaker and panelist... Read More →
Andra is a Principal Application Security Specialist at Sage, with over seven years of experience in the field of application security. She is responsible for implementing DevSecOps practices, conducting security assessments, and developing secure coding guidelines for software engineering... Read More →
Wendy Segura is a Security Engineer at Sage who specializes in building secure, scalable technology solutions. With over a decade of experience in cybersecurity, process optimization, and security client advisor she focuses on developing robust security frameworks, conducting comprehensive... Read More →
CEO, CISO, and “Hacker in Charge”, Arcanum Information Security
Jason Haddix AKA jhaddix is the CEO, CISO, and “Hacker in Charge” at Arcanum Information Security. Arcanum is a world class assessment and training company. Jason also holds the title of Field CISO for Flare.io a world class threat intelligence platform. Jason has had a distinguished... Read More →
Kevin Johnson is the Chief Executive Officer of Secure Ideas. Kevin has a long history in the IT field including system administration, network architecture and application development. He has been involved in building incident response and forensic teams, architecting security solutions... Read More →
Staff Engineer with FanDuel, OWASP Atlanta Chapter co-leader and rich history in Secure by Design, DevSecOps and security architecture within telco and entertainment
Tamir Ishay Sharbat, Zenity, Software Engineer OWASP Certified Microsoft Copilot Studio is the technology that powers Microsoft's copilots, and the platform behind custom copilots built in the enterprise. The promise is that everyone can build a secure copilot, under the assumption that every bot will be secure by-default. Does it hold under scrutiny?
In this talk, we will show how Copilot Studio bots can easily be used to exfiltrate sensitive enterprise data circumventing existing controls like DLP. We will show how a combination of insecure defaults, over permissive plugins and wishful design thinking makes data leakage probable, not just possible. We will analyze how Copilot Studio puts enterprise data and operations in the hands of GenAI, and expose how this exacerbates the prompt injection attack surface, leading to a material impact on integrity and confidentiality.
Next, we will drop CopilotHunter, a recon and exploitation tool that scans for publicly accessible Copilots and uses fuzzing and GenAI to abuse them to extract sensitive enterprise data. We will share our findings targeting thousands of accessible bots, revealing sensitive data and corporate credentials.
Finally, we will offer a path forward by sharing concrete configurations and mistakes to avoid on Microsoft's platform, and generalized insights on how to build secure and reliable Copilots. Security at the speed of dev, making secure choices in design, and making security invisible and easy for developers for any size org
