Paul McCarty

Red Team Staff Engineer



Paul is a DevSecOps OG and spends his time red teaming the software supply chain for GitLab. He was also the founder of SecureStack, a cloud-native software supply chain security startup. Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, and Australian government amongst others. Paul is a frequent contributor to open source and is the author of the DevSecOps Playbook, Visualizing Software Supply Chain and many other open-source projects. He’s also a pretty good snowboarder and most importantly a husband and father to 3 amazing kids.


How secure is your open-source project? A story about open-source software supply chains


Open-source contributes a significant part of the applications that our teams build everyday. Unfortunately, criminals have found that attacking the supply chains underpinning these open-source projects is a very effective way to gain access to many targets at once. We saw this recently with the xz-utils/liblzma software supply chain attack. Customers are waking up to the fact that the bad guys have the ability, and are inclined to spend years building sophisticated attacks on the open-source software we all depend on. In this talk Paul will describe a real-world software supply chain issue he ran into and how it affected the customer. Luckily this wasn't an attack, but it had significant consequences for the customer consuming open-source. This presentation will also describe a number of tools and processes for identifying risk in open-source software supply chains.

©2024 ProjectDiscovery, Inc. All rights reserved.