Paul McCarty

Paul McCarty

Staff Security Engineer - GitLab

Paul is a DevSecOps OG and a spends most of his time red teaming the software supply chain for GitLab. He also founded SecureStack, a software supply chain security startup. Paul has worked for NASA, Boeing, Blue Cross/Blue Shield, John Deere, the US military, and Australian government amongst others. Paul is a frequent contributor to open source and is the author of the DevSecOps Playbook, Visualizing Software Supply Chain and many other open-source projects. He’s also a pretty good snowboarder and most importantly a husband and father to 3 amazing kids.

Presentation Abstract

Red Teaming the Software Supply Chain

The software supply chain is under increasing threat. New attacks and threats have popped up that we couldn’t have imagined even two years ago. Total attacks on the software supply chain are increasing by more than 730% year on year since 2019. One way for organizations to combat this growing threat is to empower their red-teams to test the software supply chains for that organization. But many red teams are ill-prepared to tackle this new attack surface.

This talk will describe how security teams, red teams, or security researchers can quickly identify the multiple components in a particular applications software supply chain, and then how to find soft targets to focus on. I will describe my VBP frame work (value, behaviour and patterns) which is an applied threat modeling framework for software supply chains. Finally, I will visually describe one of my red team operations on an open source project and the tools that I use (or have written) to make that possible.