2025-08-04 –, Diamond
In a world where every Formula 1 team is sponsored by a security vendor… can open-source still hold pole position?
While big vendors chase attention with AI-fueled promises and enterprise price tags, most teams just need tools that work—and won’t wreck the budget. This workshop shows you how to build a practical, full-spectrum security stack using battle-tested open-source tools.
You’ll see live demos of tools like Trivy, GitLeaks, Checkov, ZAP, and OpenGrep, securing every layer from code to cloud. We’ll unpack real attack paths—like Log4Shell, dependency poisoning, and leaked secrets—and show how to detect and stop them early.
You’ll leave with a blueprint for integrating OSS tools into your workflow via CI/CD, IDEs, and pre-commit hooks, plus guidance on when free tools are enough—and when to go commercial.
If you’ve ever asked, “Do I really need to spend six figures to be secure?”—this is your answer.
In a world where every Formula 1 team is backed by a security vendor, you might wonder: can open-source tools still compete—or are you just spinning your wheels?
This workshop is for the builders, breakers, and defenders who want practical answers—not just enterprise-grade promises wrapped in AI buzzwords. Modern applications are built fast, assembled from open-source packages, deployed via IaC, and run in complex cloud environments. Every step adds attack surface—and attackers know it.
But good security doesn’t have to start with a procurement call.
In this session, we’ll walk through how to build a high-quality, layered security program using open-source tools. You’ll see live demos of tools like:
- Trivy for container and dependency scanning (SCA),
- GitLeaks and TruffleHog for secrets detection (even buried in git history),
- Checkov for infrastructure-as-code scanning,
- ZAP and Nuclei for DAST and API testing,
- Bandit and OpenGrep for static analysis (SAST),
- And Zen for runtime protection via in-app firewalls.
Each tool will be shown in context—with real examples of how attackers exploit vulnerabilities in the wild: poisoned packages, typosquatting, exposed secrets, and cascading misconfigurations. We’ll explore famous breaches (like Log4Shell, EventStream, and Twitch’s git leak) and dissect how open-source tools could have detected or blocked the compromise.
You'll learn how to:
- Chain these tools together with CI/CD pipelines, Git hooks, and IDEs,
- Choose when to “build vs. buy”,
- And design a Minimal Viable Security Stack that offers solid coverage without budget strain.
We’ll also cover the limitations of OSS tools—because yes, you’ll miss some dashboards, reporting, and support—but for many teams, those are trade-offs worth making. Especially when the alternative is no security at all.
This workshop is ideal for:
- Developers looking to shift security left without killing velocity,
- Security engineers who need effective, budget-conscious coverage,
- Startups and small teams who want the protection, not the pitch.
By the end, you’ll have a working blueprint, tool configurations, and clarity on what matters most. Whether you’re a lone dev or scaling a team, this session will give you the tactical toolkit to secure what you build—with tools the community trusts.
Mackenzie is a security researcher and advocate with a passion for code security. He is the former CTO and founder of Conpago, where he learned firsthand the importance of building secure applications. Today, Mackenzie works for Aikido Security to help developers and DevOps engineers build secure systems. He also shares his knowledge as a contributor to many technology publications like Dark Reading, Financial Times, and Security Boulevard and was featured as an expert in the documentary “Logins aus dem Darknet” (EN: Logins from the Darknet).