My name is Paul McCarty and I'm the founder of SecureStack. I like to describe SecureStack as the world's first DevSecOps Maturity Platform because we help our customers assess and then accelerate their DevSecOps journey.

I am a DevSecOps evangelist and thought leader obsessed with applied application security and securing the software supply chain. I like to say that I'm a technical founder who likes to work at the intersection of product delivery and security. I have built and led multiple product delivery teams: for the government, in the private sector and for my own startup, SecureStack.

I am a frequent public speaker and have presented at many events including: OWASP, SecTalks, CrikeyCon, TuskCon, RSA, AISA, and multiple BSides. I am a proud father, and I used to snowboard a lot.

📫 How to reach me? paulm (at) securestack.com

I wrote the DevSecOps Playbook in 2022 as a step-by-step guide for organizations to implement DevSecOps programs regardless of their size or industry.

The software supply chain is under increasing attack, but there is no industry standard definition of what the software supply chain is. How can we hope to secure the SSC if we don't know what's in it? This project is my attempt at creating a common definition to help organizations understand the scope and breadth of the SSC.

OSC&R is a comprehensive, systematic and actionable way to understand attacker behaviors and techniques with respect to the software supply chain. It is a matrix style document modeled on the MITRE ATT&CK matrix. I am a contributing member to the project.

The Minimal Viable Secure Product MVSP is a minimum security baseline for enterprise-ready products and services. The baseline checklist can be used at various stages of the sales cycle, from RFP through to contractual controls. I am an original contributing member.