The first DevSecOps Hackathon in the Russian Federation: why did we do this?

September 27, 2025·194 views

😜 The first DevSecOps Hackathon in the Russian Federation: why did we do this?

In 2024, he held the first DevSecOps hackathon in Russia from findevsecops.ru and @fintechassociation. Among the organizers were: Rosbank (so dear and beloved), RSHB, Yandex Cloud, Swordfish Security, Central Bank of the Russian Federation, AFT, MOEX Group, High Digital Technologies, T1 Holding (Innotech Group).

The important question is, why not CTF?

In fact, it was a real practical challenge: to assemble a CI/CD pipeline with security checks in 3 days and at the same time meet the requirements of GOST 56939-2024. We worked on the following hackathon concept:

1. Instead of “catching flags” - full-fledged pipelines, close to combat ones

2. Tasks = real practices: SAST, DAST, SCA, Secret Detection, Vulnerability Management, Risk Analysis

3. The key criterion is the ability to work with False Positive/Negative triggers, their triage and grouping into risks. And the coolest thing is to scale the solution

4. Focus not on theory, but on the development life cycle Secure-by-Design

What is the benefit for me? Hypothesis testing:

1. How problematic is the practice of implementing DevSecOps and AppSec Toolchain processes in CI/CD for the Russian market in the new realities.

2. What problems do teams most often encounter and how does lack of focus occur?

3. Do teams know how to work with the correct triage and not eliminate everything, but only real affective vulnerabilities and resulting risks to the product?

Finally, let me remind you:

• Swordfish Security - took 1st place.

• Rostelecom — 2nd place.

• Rosselkhozbank (RSHB) - 3rd place.

• MSTU im. Bauman (I am proud of my department where I teach) is the best student team.

📌 What did this give to the market:

1. GOSTs can be “landed” on the live development process and on our artifacts from the community

2. AppSec teams need platforms where they can “touch with their hands” new approaches and solutions in the context of import substitution

3. Healthy competition and research into people who are interesting to you and me, including a group match.

Bottom line: this is just the beginning. Now we are preparing a new hackathon for 2026 - larger, tougher and even closer to combat conditions.

And also, for this reason, I think it is important to grow your people within development teams and therefore you should pay attention to inseca.tech and courses, as an example of Security Champion.

#hackathon #appsec #devsecops #specialty #toolchain #vulnmanagement #course

#hackathon#appsec#devsecops#specialty#toolchain#vulnmanagement#course

Open in Telegram