About the Author¶
Michael Scovetta is a Principal Security PM Manager at Microsoft, where he leads a team dedicated to understanding and addressing emerging security threats in open source software. With over 25 years of experience in software engineering and security—more than a decade focused specifically on open source—Michael has become one of the leading voices in software supply chain security.
Michael is a co-founder and co-lead of the Alpha-Omega project under the Open Source Security Foundation (OpenSSF), an initiative focused on improving the security of critical open source projects. His contributions to OpenSSF extend well beyond Alpha-Omega: he has led the Identifying Security Threats Working Group, chaired the Metrics & Metadata Working Group, authored the influential Threats, Risks and Mitigations white paper, and drove the creation of the security-reviews project.
At Microsoft, Michael and his team have developed a suite of open source security tools, including Microsoft Application Inspector, a source code analyzer that helps organizations understand what software components actually do. His team's tooling spans package ecosystem analysis, reproducible build verification, cryptographic implementation detection, and typosquatting identification.
Prior to Microsoft, Michael held security and software engineering roles at CBS, CA Technologies, Cigital, and UBS Financial Services. He earned a Master of Engineering degree in Computer Science from Cornell University and a Bachelor of Science degree from Hofstra University.
Michael is a frequent speaker at security conferences, including Microsoft Research Summit, LocoMocoSec, and AngelBeat workshops, where he presents on topics ranging from software supply chain security to managing open source risk in the enterprise.
A Note on AI-Assisted Content¶
In the spirit of transparency, the author wishes to disclose that artificial intelligence tools were used in the creation of this book. Specifically, large language models assisted with drafting, editing, research synthesis, and content organization throughout the writing process.
The author maintained editorial oversight and responsibility for all content. Every factual claim, technical recommendation, and case study was reviewed for accuracy. AI served as a collaborative tool—helping to articulate ideas, identify gaps, and refine prose—but the expertise, judgment, and perspective reflected in these pages are the author's own.
This disclosure reflects our belief that transparency about AI use is essential, particularly in a book about supply chain trust and integrity. Just as we advocate for transparency in software dependencies, we believe readers deserve to understand how the content they consume was produced.