Security on a Shoestring: Hardening Your Game for $0 in One Sprint

Stage 2 - Multiplayer Track | Confex Level 1
Talk
~All~MultiplayerProductionTech & Coding

Information

Indie and AA studios face nation-state-grade threats—but not the budgets. In this lightning-fast session I’ll walk through ten open-source controls you can bolt onto any game build-and-deploy pipeline in a single sprint—without spending a penny.

We start at the repo gate with OpenSSF Scorecard and Gitleaks, roll automatic dependency upgrades via Dependabot/Renovate, then generate an SBOM and sweep it for CVEs using Syft → Grype. Next comes static analysis (Semgrep or CodeQL) after the supply-chain is clean to keep noise sane. We freeze the build with Sigstore Cosign signatures, raise a free ModSecurity/Cloudflare WAF, abuse it with OWASP ZAP, and finish with an outside-in network sweep (Nmap + OpenVAS) before capturing a “known-good” drift baseline with CIS-CAT Lite.

Most of the tools are open source licensed or free tier, run on Windows/macOS/Linux build agents, and plug into GitHub Actions or GitLab CI with ≤ 15 lines of YAML. Attendees leave with a prioritised checklist that slashes the attack surface — proof that great security can run on coffee money.

Target Audiences
Indie and AA Game Developers, Programmers, Technical Leads, or anyone responsible for the build and deployment pipeline seeking low-cost security improvements.
Experience Level
Intermediate
Key Take Aways
- a zero-budget, one-sprint blueprint: Receive a concrete, 10-step checklist (plus bonus tools) to harden your entire build-and-deploy pipeline tonight without spending a penny. - "Fix first, scan second" order of battle: Understand the clear rationale behind the control sequencing (repo hygiene → supply-chain patching → code scan → runtime shielding) to avoid alert fatigue and achieve instant risk reduction. - Metrics that matter to game devs: Learn ready-made KPIs (Scorecard ≥ 8, days-to-merge, zero high CVEs, signed artefacts %, etc.) to translate security progress into language producers and executives understand. - Stakeholder-ready artefacts: Get templates for a one-page scorecard and a three-slide pitch script to drop into your next sprint review and win buy-in from leads, publishers, and platform holders. - Confidence that "good enough" security is achievable: See proof that significant threats can be mitigated affordably with open-source tooling, minimal engineer-hours, and smart prioritisation.
Session Type
Talk

Registered attendees

Dean Gichukie
Dean Gichukie
CEOKunta Content
Gabriel Yakir Ketteler
Gabriel Yakir Ketteler
Producer / Biz Dev / ConsultantBorb Games
Manon Hellebrand
Manon Hellebrand
LecturerHanze university of applied sciences