Security on a Shoestring: Hardening Your Game for $0 in One Sprint

Indie and AA studios face nation-state-grade threats—but not the budgets. In this lightning-fast session I’ll walk through ten open-source controls you can bolt onto any game build-and-deploy pipeline in a single sprint—without spending a penny.

We start at the repo gate with OpenSSF Scorecard and Gitleaks, roll automatic dependency upgrades via Dependabot/Renovate, then generate an SBOM and sweep it for CVEs using Syft → Grype. Next comes static analysis (Semgrep or CodeQL) after the supply-chain is clean to keep noise sane. We freeze the build with Sigstore Cosign signatures, raise a free ModSecurity/Cloudflare WAF, abuse it with OWASP ZAP, and finish with an outside-in network sweep (Nmap + OpenVAS) before capturing a “known-good” drift baseline with CIS-CAT Lite.

Most of the tools are open source licensed or free tier, run on Windows/macOS/Linux build agents, and plug into GitHub Actions or GitLab CI with ≤ 15 lines of YAML. Attendees leave with a prioritised checklist that slashes the attack surface — proof that great security can run on coffee money.