The Power of Dedicated Security Engineers vs. Volunteers
Session Abstract
Open source security is often overlooked until a crisis hits. This talk compares the impact of volunteers versus dedicated full-time security engineers in the Python and Ruby ecosystems. It highlights how consistent investment strengthens community resilience, reduces risk, and proves that security isn’t a cost but an essential strategy.
Session Description
Perfect security works like a transparent umbrella — it shields you from the storm, often without you realizing there’s one. That invisibility, however, is why open source security is too often seen as a cost rather than a strategic investment.
Most organizations only start paying attention to security after a crisis — think Log4j — when it’s already too late. In the open source world, many projects depend on volunteers to respond to security incidents. Their contributions are invaluable, but what happens when projects have dedicated, full-time security engineers instead?
In this session, we’ll explore that question through the stories of Mike, Seth, and Samuel, who once volunteered their time supporting security in the Python and Ruby ecosystems. With funding from AWS and Alpha-Omega, they later became full-time security engineers employed by the Python Software Foundation and Ruby Central.
By comparing their impact as volunteers versus full-time professionals, we’ll quantify the value of dedicated security investment and measure its return on investment.
Open source is everywhere — securing it benefits everyone. Through this talk, we’ll challenge you to rethink security not as an afterthought or a cost center, but as a core strategy worth proactive investment.
