I have spent the last decade creating the standards, tools, and practices that organizations now rely on to understand the software they build and consume. This page is a brief account of that work.
Biography Chicago Northshore. Advisor, author, speaker.
I have been deeply immersed in software supply chain security for more than a decade, founding and chairing the open standards that now define how organizations describe and exchange software transparency information.
My journey with OWASP began in 2012. I am a lifetime OWASP member and currently serve as Chair of the OWASP Global Board of Directors, helping drive the continued growth of the foundation and its mission to make secure software a reality through open collaboration, education, and innovation.
Alongside board service, I founded and chair the OWASP CycloneDX Core Working Group. What began as an OWASP project has grown into the most widely adopted SBOM standard in the world and, in 2024, became an international standard through Ecma International as ECMA-424. I also lead the OWASP Dependency-Track project, which was founded in 2013 supporting full-stack inventory of hardware, software, and services, and coauthored the OWASP Software Component Verification Standard (SCVS), which is referenced in its entirety in the NIST Secure Software Development Framework.
I founded Ecma International Technical Committee 54 (TC54) and chaired it during its first two years. TC54 is the home of the international standards program on software and system transparency, including CycloneDX, Package-URL, OWASP Common Lifecycle Enumeration (CLE), and the Transparency Exchange API. This work is reshaping how software evidence is discovered, exchanged, and verified across the supply chain.
Outside of standards and advisory work, I write, speak, and teach. I am passionate about helping organizations identify and reduce risk from the software they build and consume, and I believe the next decade of security gains will come from better transparency rather than better perimeters.
Much of my time is spent convening the working groups, regulators, and practitioners who together decide how software is described and verified.
The work is public. The code, the specifications, and the roadmaps are open. Clients often arrive already using what my teams have built.
Founded 2017. International standard 2024.
A full stack Bill of Materials (BOM) standard covering software, hardware, cryptography, machine learning, services, and operations. Adopted across public and private sectors globally.
Founded 2013. SANS Difference Maker Award, 2023.
A full stack Component Analysis platform covering hardware, software, and services. Dependency-Track has been consuming Bill of Materials (BOM) documents since before "Software Bill of Materials (SBOM)" became an industry term, and today helps thousands of organizations identify and reduce risk across their component portfolios.
Referenced in NIST Special Publication (SP) 800-218.
A community driven framework for measuring the integrity of software supply chain practices.
Ecma International. Founded 2023.
Founded TC54 and chaired it during its first two years. The committee standardizes how software transparency information is discovered, distributed, and verified, including CycloneDX, Package-URL (purl), the OWASP Common Lifecycle Enumeration (CLE), and the Transparency Exchange API.
I write the reference material that practitioners and regulators cite. Each guide is maintained and updated as the standards evolve.
Ask for a full CV, a speaking kit, or a one page briefing tailored to your board. I am happy to send the right material for the room.