Open Source Security Summit 2025 - Recap

The 2025 Open Source Security Summit gathered cybersecurity leaders, authors, and practitioners to tackle the industry's most pressing challenges, from leveraging blockchain forensics to implementing passwordless authentication at scale. Speakers delivered keynotes, debated on panels, and shared hard-won lessons on building security that delivers both technical excellence and real-world usability.

To explore past summits, many session recordings for 2024, 2023, 2022, 2021, and 2020 are available at opensourcesecuritysummit.com or on the Bitwarden YouTube channel. 

Rick Howard, CEO of the CyberCanon Project — a volunteer-driven initiative to identify the industry's most essential books — opened the Summit with a compelling argument against quick-hit content consumption. Howard challenged the industry's growing reliance on summaries, triple-speed podcasts, and AI-generated digests, arguing that meaningful understanding requires time and engagement with material.

The top takeaways: 

1. Don't skim; take your time with a subject.

2. Books are the most impactful knowledge transfer device.

3. Prioritize depth over breadth in your learning to transform your career.

"Reading is an act of resistance in a landscape of distraction." - David Ulin's The Lost Art of Reading

For those ready to hit the library but unsure where to begin, Howard highlighted three essential reads from the Cyber Canon Hall of Fame:

• The Cuckoo's Egg (Cliff Stoll, 1989) essentially launched the cybersecurity profession.

• The Perfect Weapon (David Sanger, 2018) covers nation-state cyber operations.

Tracers in the Dark (Andy Greenberg) documents cryptocurrency tracing as a law enforcement tool.

Andy Greenberg, senior writer at WIRED and author of Tracers in the Dark (a CyberCanon Hall of Fame pick!), joined moderator Paul Stringfellow, GigaOm analyst, to discuss one of cybersecurity's greatest ironies: Bitcoin, once hailed as untraceable digital cash, became law enforcement's secret weapon.

"Bitcoin turned out to be the opposite of untraceable." - Andy Greenberg, WIRED

Greenberg traced the turning point to 2013-2014, when investigators — including IRS agents from the same unit that took down Al Capone — realized the blockchain's transparency made it possible to follow the money with unprecedented precision. What followed was a string of dramatic takedowns: dark web marketplaces, corrupt federal agents caught red-handed, and operations that resulted in 337 arrests across dozens of countries.

The twist? Despite knowing cryptocurrency can be traced, criminals continue using it for ransomware and sophisticated scams operated from Southeast Asian compounds. As Greenberg explained, the challenge isn't identifying perpetrators; it's reaching them when they operate from non-extradition countries and failed states.

"You might know their names, but identifiability and accountability are not the same thing." - Andy Greenberg, WIRED

Watch the full session

Director of IT at Veritas Prime, Patrick Ward, and Highwire CTO Jason Mayde argued that open source transparency makes security accessible across entire organizations. The panelists explained how public pull requests, continuous integration, and automated scans give open source tools more scrutiny and stronger protection than closed source alternatives. 

"Security by design means incorporating security at all levels, not just at that open source project level — but by creating a culture of security across your entire organization." - Jason Mayde, Highwire

Ward and Mayde emphasized that effective security requires meeting users where they are: localizing content to reflect cultural nuances and workflows, not just translating documentation. Their key warning: make security too complex, and users will create shadow IT. Friction, not malice, drives people to find workarounds.

"When security greatly outweighs the usability of a system, you're more likely to introduce shadow IT scenarios." - Patrick Ward, Veritas Prime

Watch the full session

Rinki Sethi, Chief Security Officer at Upwind Security, explored how AI has transformed the attacker-defender arms race in conversation with Jon Swartz, Techstrong Group. 

Attackers now operate "at startup-scale speed," using AI to launch personalized phishing campaigns, deploy polymorphic malware that self-mutates to evade detection, and execute deepfake-enabled social engineering. Meanwhile, compromised identities have surpassed malware as the primary entry point for breaches.

“Identity is the new perimeter. When you think about credentials, tokens, and session cookies, they're easier to steal than building malware. And once you're in, you bypass most endpoint defenses.” - Rinki Sethi, Upwind Security

On defense, Sethi highlighted AI's power to provide contextual detection, surfacing dangerous combinations like compromised identities accessing vulnerable workloads with exposed secrets. 

But she warned against blind trust in AI outputs, emphasizing that human judgment remains essential, especially for escalation, compliance, and business-impacting actions. 

"Machines should recommend, not fully decide … Automation is great for the response playbook, but not yet for nuanced judgment calls." - Rinki Sethi, Upwind Security

Sethi expressed cautious optimism that AI would ultimately favor defenders, but only if they match attackers' speed and agility.

Mark Zvolensky, Senior Cybersecurity Manager at Foot Locker, delivered practical guidance on passkey implementation with a simple philosophy: skip the tech jargon. He compared passkeys to car keys — physical objects that provide access — rather than explaining public-private key cryptography. 

His deployment advice: 

1. Test thoroughly (his team waited a year until the technology matured)

2. Choose consistent workflows with a standard authenticator app

3. Deploy in rings, starting with technical teams

4. Document extensively

5. Most importantly: "be social about it" — run workshops, host town halls, and remind people that passkeys aren't scary.

Zvolensky's standout recommendation: Use creative automation to drive adoption. 

Foot Locker built a system that reaches out to users a week after they register a passkey, prompting them to remove less secure SMS authentication with a single button tap. For privileged users, he recommended making passkeys policy, not optional. 

Watch the full session

How did a single phone call bring down MGM's security systems? Eddie Clark, President and CEO at SolveIT, and David Mitrovik, Systems Engineer at SWISS TXT, opened their discussion with moderator Nicole Nguyen from The Wall Street Journal by dissecting the infamous attack, where someone simply called the help desk, requested a password reset, and walked in. 

"Security has to be iterative and integrated, not just reactive or an afterthought. You can’t add eggs to a cake after it’s baked." - Clark, SolveIT

With deepfake voices and AI-generated social engineering escalating, the panelists argued that phishing-resistant authentication like passkeys must become standard, framing security as foundational, not optional.

"There is no reliability without real security." - Mitrovik, SWISS TXT

When evaluating products, he urged transparency as the key indicator of genuine commitment — look for documented cryptographic processes, vulnerability disclosure policies, and bug bounty programs. 

"If they have nothing to show for their claims, then it's probably [security] theater." - Mitrovik, SWISS TXT

Clark emphasized practical due diligence: 

• Verify SOC 2 Type 2 certifications

• Follow frameworks like OWASP

• Read end-user license agreements

Both panelists rallied around eliminating SMS-based authentication in favor of phishing-resistant MFA and end-to-end encryption as defaults. 

The biggest barrier to passwordless implementation? "Cost and fear of change," Clark said — not technical capability.

Watch the full session

The 6th annual Open Source Security Summit reinforced a clear message: effective security requires both technical excellence and thoughtful attention to human factors. From passkeys replacing passwords to AI transforming the attacker-defender landscape, the path forward demands balancing innovation with usability.

To watch all session recordings and explore past summits, visit opensourcesecuritysummit.com or the Bitwarden YouTube channel.