I do security work at GitHub (before that, Duo) and before that I was a co-founder at Olark.
I also maintain a2docs and BBTXL.
What's in the SOSS: OpenSSF Mission, Vision, Strategy, and Roadmap
OpenSSF "What's in the SOSS?" podcast episode with Arun Gupta (Intel / OpenSSF Governing Board Chair) and I about the Mission, Vision, Strategy, and Roadmap for the OpenSSF and what we're particularly excited about for 2025.
What's in the SOSS: Dig Into Package Repository Security
OpenSSF "What's in the SOSS?" podcast episode with Jack Cable from CISA and I about the Principles for Package Repository Security and the Securing Software Repositories Working Group.
Sigstore Cosign: Keeping Up with the Client Libraries
Presentation at SigstoreCon about work we're doing to keep cosign interoperable with client libraries and things like npm provenance, Homebrew attestations, and PyPI attestations.
Lessons Learned: Scaling Out Securing Open Source
Presentation at Microsoft BlueHat on how the OpenSSF Securing Software Repositories Working Group assisted in developing security capabilities across PyPI, Homebrew, NuGet and Rust Crates.
The second half of software supply chain security on GitHub [GitHub Blog]
What the public sector has been saying about the second half of supply chain security, and how GitHub can help you protect the integrity of the software you build.
cosign Verification of npm Provenance, GitHub Artifact Attestations, and Homebrew Provenance [Sigstore Blog]
How to use cosign with new deployments of Sigstore where signed material is stored in the bundle format.
How to Make Programming Language Package Repositories More Secure [OpenSSF Blog]
How the OpenSSF Securing Repositories Working Group supports varied package repositories through security roadmaps, publishing implementation guidance of specific capabilities, and inventorying funding sources.
Public Sector + OpenSSF: Principles for Package Repository Security
An Open Source Summit North America talk with Jack Cable on releasing v0.1 of the Principles for Package Repository Security, to help open source package repositories with roadmaps and to reference in their applications for funding.
Releasing Principles for Package Repository Security [OpenSSF Blog]
Announcing the v0.1 release of Principles for Package Repository Security, a collaboration between the OpenSSF Securing Software Repositories Working Group and the Cybersecurity and Infrastructure Security Agency (CISA).
Using Go's built-in compiler and linker tooling, along with a Python helper script, to find out which dependencies add the most size to the resulting binary.
Advanced Security Capabilities All Package Managers Should Have
npm and Sigstore: Provenance Comes to the World's Largest OSS Ecosystem
Build Provenance for all Package Registries [OpenSSF Securing Software Repos Working Group]
Bringing Provenance to All of Open Source: Lessons from npm's Sigstore Integration [Supply Chain Security Con]
Security Considerations with Fulcio and OIDC JWTs
Why we're excited about the Sigstore general availability [GitHub Blog]
Unlocking Cloud Build Security with OIDC
Connecting to a Private Network from GitHub-hosted Actions Runners [GitHub Blog]
How to Secure Your End-to-End Supply Chain [GitHub Blog]