The Sched app lets you build your schedule, but it is not a substitute for event registration. You must be registered for Open Source in Finance Forum Toronto 2026 to participate in the sessions. If you have not registered but would like to join us, please visit the event registration page to purchase a ticket.
Sign up or log in to add sessions to your schedule and sync them to your phone or calendar.
Homebrew is the default package manager for macOS and it’s already running on your developers' machines, sanctioned or not. The instinct in financial services is to block it. Blocking it doesn't remove it; it turns it into shadow IT.
Traditional security tooling wasn't built to see Homebrew directly. EDR infers activity from process execution paths. Network monitoring watches for traffic to GitHub and bottle registries. File integrity scanning detects new executables in brew paths. These signals are indirect and incomplete: packages installed but never run are invisible, cached bottles bypass network detection, and installs that don't require sudo slip past privilege monitoring entirely.
In a regulated environment where software supply chain integrity, SBOMs, and audit trails are non-negotiable, this isn't a theoretical risk. Open source doesn't stop being open source just because your security tool didn't log it.
This talk examines why "just ban it" fails in practice, and what a realistic, compliance-aware approach to open source tooling looks like for engineering teams that can't afford shadow IT.
Lifelong tech enthusiast, former lawyer turned enterprise sales advocate. Billy found his home at the crossroads of developer tooling, SaaS security, and compliance.
