G'day ya'll. I spend most of my time doing software supply chain research and conducting supply chain offensive security operations. I'm currently the Head of Research for a supply chain security company Safety, but I've previously founded GitHax, SourceCodeRED and SecureStack.
I've spent most of the last 25+ years doing what we now call DevSecOps. I'm obsessed with securing the software supply chain. I like to say that I'm a technical founder who likes to work at the intersection of product delivery and security. I have built and led multiple product delivery teams: for the government, in the private sector and for my own startups.
I am a frequent public speaker and have presented at many events including: OWASP, SecTalks, CrikeyCon, TuskCon, RSA, AISA, and multiple BSides. I am a proud father, and I used to snowboard a lot.
📫 How to reach me? 6mile (at) linux.com
🏢 Follow me on LinkedIn
I wrote the DevSecOps Playbook in 2022 as a step-by-step guide for organizations to implement DevSecOps programs regardless of their size or industry.
gimmePATz is a comprehensive reconnaissance tool for personal access tokens (PAT). It will tell you if a PAT is valid, and it will enumerate what organizations, secrets and variables a PAT can access. gimmePATz is built for red teams, pentesters and bug bounty hunters, but it can be useful for anyone that finds a PAT and thinks "I wonder what a bad guy could do with this?".
MALOSS (pronounced "malice"), scans package manifest files to see if any of the libraries and packages are malicious. It does this by analyzing local package manifest files, or remote package files, and checking then against GHSA and OSV. Incredibly, there are no existing open-source tools that help you identify malicious packages in your applications. That's why I built MALOSS.
The software supply chain is under increasing attack, but there is no industry standard definition of what the software supply chain is. How can we hope to secure the SSC if we don't know what's in it? This project is my attempt at creating a common definition to help organizations understand the scope and breadth of the SSC.
TVPO is highly flexible threat modelling framework for software supply chains. The idea was to systematically idenfity gaps in a software supply chain components by defining all those components, and their individual attackability. Red teams, penetration testers, and bug bounty researchers can use this framework to prioritize their offensive operations.
The aim of this project and repository is to be a comprehensive, high quality, open source database of reports of malicious packages published on open source package repositories. I am one of the main contributors to this project over the last year.
OSC&R is a comprehensive, systematic and actionable way to understand attacker behaviors and techniques with respect to the software supply chain. It is a matrix style document modeled on the MITRE ATT&CK matrix. I am a contributing member to the project.
