G'day ya'll. I spend most of my time doing software supply chain research and conducting supply chain offensive security operations. I'm currently the Head of Research for a supply chain security company Safety, but I've previously founded GitHax, SourceCodeRED and SecureStack.
I've spent most of the last 25+ years doing what we now call DevSecOps. I'm obsessed with securing the software supply chain. I like to say that I'm a technical founder who likes to work at the intersection of product delivery and security. I have built and led multiple product delivery teams: for the government, in the private sector and for my own startups.
I am a frequent public speaker and have presented at many events including: OWASP, SecTalks, CrikeyCon, TuskCon, RSA, AISA, and multiple BSides. I am a proud father, and I used to snowboard a lot.
📫 How to reach me? 6mile (at) linux.com
I wrote the DevSecOps Playbook in 2022 as a step-by-step guide for organizations to implement DevSecOps programs regardless of their size or industry.
The software supply chain is under increasing attack, but there is no industry standard definition of what the software supply chain is. How can we hope to secure the SSC if we don't know what's in it? This project is my attempt at creating a common definition to help organizations understand the scope and breadth of the SSC.
OSC&R is a comprehensive, systematic and actionable way to understand attacker behaviors and techniques with respect to the software supply chain. It is a matrix style document modeled on the MITRE ATT&CK matrix. I am a contributing member to the project.
The Minimal Viable Secure Product MVSP is a minimum security baseline for enterprise-ready products and services. The baseline checklist can be used at various stages of the sales cycle, from RFP through to contractual controls. I am an original contributing member.