G'day ya'll. I spend most of my time doing software supply chain research and conducting supply chain offensive security operations. I'm currently the founder and maintainer of OpenSourceMalware, but I've previously founded GitHax, SourceCodeRED and SecureStack.

I've spent most of the last 25+ years doing what we now call DevSecOps. I'm obsessed with securing the software supply chain. I like to say that I'm a technical founder who likes to work at the intersection of product delivery and security. I have built and led multiple product delivery teams: for the government, in the private sector and for my own startups.

I am a frequent public speaker and have presented at many events, including OWASP, SecTalks, CrikeyCon, TuskCon, RSA, AISA, and multiple BSides. I am a proud father, and I used to snowboard a lot.

📫 How to reach me? 6mile (at) linux.com

🏢 Follow me on LinkedIn

I collaborated on the OpenSSF malicious packages project for years. Unfortunately, both the OSSF malicious package project and GitHub Security Advisories (GHSA) don't include threat intelligence in their advisories: What does the malicious package do? What does it communicate with? What does it steal? Does it download any secondary files? These are all important things to know if you want to hunt for these threats in your origanization, or if you need to perform incident response when one of your developers installs a malicious package or when your continuous integration (CI) pipelines run one of these packages.

That's where OpenSourceMalware comes in. OSM is the world's largest community threat database for software supply chain malware including software packages, GitHub repositories, VSCode extensions, AI skills, domains, IP addresses, crypto wallet addresses and more. OSM has free APIs that organizations around the world hit thousands of times every single day.

I wrote the DevSecOps Playbook in 2022 as a step-by-step guide for organizations to implement DevSecOps programs regardless of their size or industry.

gimmePATz is a comprehensive reconnaissance tool for personal access tokens (PAT). It will tell you if a PAT is valid, and it will enumerate what organizations, secrets and variables a PAT can access. gimmePATz is built for red teams, pentesters and bug bounty hunters, but it can be useful for anyone that finds a PAT and thinks "I wonder what a bad guy could do with this?".

MALOSS (pronounced "malice"), scans package manifest files to see if any of the libraries and packages are malicious. It does this by analyzing local package manifest files, or remote package files, and checking then against GHSA and OSV. Incredibly, there are no existing open-source tools that help you identify malicious packages in your applications. That's why I built MALOSS.

The software supply chain is under increasing attack, but there is no industry standard definition of what the software supply chain is. How can we hope to secure the SSC if we don't know what's in it? This project is my attempt at creating a common definition to help organizations understand the scope and breadth of the SSC.

TVPO is highly flexible threat modelling framework for software supply chains. The idea was to systematically idenfity gaps in a software supply chain components by defining all those components, and their individual attackability. Red teams, penetration testers, and bug bounty researchers can use this framework to prioritize their offensive operations.

The aim of this project and repository is to be a comprehensive, high quality, open source database of reports of malicious packages published on open source package repositories. I am one of the main contributors to this project over the last year.

OSC&R is a comprehensive, systematic and actionable way to understand attacker behaviors and techniques with respect to the software supply chain. It is a matrix style document modeled on the MITRE ATT&CK matrix. I am a contributing member to the project.