Getting started with Security in 2025 can be daunting: where do you start? How do you design a security pipeline? What is DevSecOps?

In this training we will teach you how to build a reliable vulnerability pipeline that lets you orchestrate any open source tool to perform disparate types of scanning.

You will understand concepts like threat modelling, vulnerability management and which different components are involved in designing security workflows.

You’ll learn how to build your own security component and make it report findings into a database that then can be leveraged to get better insights on your security posture.

At the end of this training, participants will be able to:

Understand the basics of vulnerability management
Orchestrate security tools on CI for their teams
Write simple Go applications
Write custom vulnerability tools and make them report issues to their teams

Key Takeaways

1 Understand the modern security landscape

2 Understand concepts like Vulnerabilities; CVEs and CWEs

3 Learn what SAST, SCA, SBOM, IAC, Secrets Scanners and other types of security scanning concepts mean

4 Learn about the importance of DevSecOps in security practices

5 Learn how to build a vulnerability pipeline: locally and on Continuous Integration

6 Operate Smithy to orchestrate any security tooling

7 Build a custom scanner in Go to analyse a vulnerable git repository for vulnerabilities and report findings on ElasticSearch

8 Familiarize with concepts such as noise reduction and reachability in vulnerability processes

Speaker

Andrea Medda

Founding Engineer @Smithy, ex Cloudflare and Curve

More details coming soon.

Speaker

Spyros Gasteratos

Founder @Ocurity, Principal Security Engineer, Maintainer of opencre.org & github.com/ocurity/Dracon, 15+ Years Experience in Security

Spyros has over 15 years of experience in the security world. Since the beginning of his career he has been an avid supporter and contributor of open source software and an OWASP volunteer. Currently he is interested in the harmonization of security tools and information and is currently helping Fintechs setup and automate large parts of their AppSec programmes. He also maintains several Open Source projects including the security automation framework Dracon, and opencre.org, the worlds largest security knowledge graph. Also, he usually doesn’t speak about himself in the third person.

Speaker

Andrea Medda

Founding Engineer @Smithy, ex Cloudflare and Curve

Speaker

Spyros Gasteratos

Founder @Ocurity, Principal Security Engineer, Maintainer of opencre.org & github.com/ocurity/Dracon, 15+ Years Experience in Security

Prerequisites

Participants should:

Bring their own laptop
Have experience with at least one language, preferably Go
Know how to use a terminal to prompt commands
Know basic Git commands to pull and push

Required Software to be installed:

Git - Make sure that you can clone https://github.com/smithy-security/smithy with git clone https://github.com/smithy-security/smithy
GoLang (latest version available) - Make sure that you can run a sample hello world application https://gobyexample.com/hello-world.
An IDE or Text Editor which supports Go out of the box or its plugins. One of: GoLand - https://www.jetbrains.com/go/ or VSCode + Go Plugin - https://code.visualstudio.com/, https://code.visualstudio.com/docs/languages/go
Docker or Podman on their latest version - Make sure that you can run docker pull hello-world and docker run hello-world successfully

Product Security Vulnerability Workflows Using Open Source

Key Takeaways

Speaker

Andrea Medda

Find Andrea Medda at:

Speaker

Spyros Gasteratos

Find Spyros Gasteratos at:

Speaker

Andrea Medda

Speaker

Spyros Gasteratos

Date

Location

Level

Share

Prerequisites

Follow QCon

Contact

Menu

Conferences around the World