Home » Topics » Cybersecurity » Industry-first software supply chain security framework launched

Industry-first software supply chain security framework launched

Security teams will now be able to gain a better understanding of how best to mitigate attacks on the software supply chain.

Avatar photoby Aaron Hurst

Security leaders have launched the Open Software Supply Chain Attack Reference (OSC&R), to help organisations gain better understanding of evolving supply chain threats and how to mitigate them

With the entire software supply chain being increasingly targeted by threat actors, there emerged the need for a MITRE ATT&CK-like security framework that would allow experts to better understand and measure risk — a process that until now could only be based on intuition and experience.

OSC&R is designed to provide a common language and structure for understanding and analysing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

The founding consortium of cybersecurity leaders behind OSC&R include:

The matrix, which is set to be updated as cyber attacks continue to evolve, is now prepared to be used by security teams to evaluate existing defences and define which threats need to be prioritised.

Additionally, security teams will be able to better understand how existing coverage addresses those threats, and learn how to help track behaviours of attacker groups.

It will also assist red-teaming activities by helping set the scope required for a penetration test or a red team exercise, serving as a scorecard both during and after the test.

“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, co-founder and CEO of OX Security.

“Without an agreed-upon definition of the software supply chain, security strategies are often siloed.”

Hiroki Suezawa, senior security engineer at Gitlab, commented: “OSC&R helps security teams build their security strategy with confidence.

“We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.”

Naor Penso, head of product security at FICO, added: “I believe the OSC&R framework will help organisations reduce their attack surface.

“I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”

The new OSC&R framework can now be found online, here.

Related:

Considering security risks from third parties in the supply chainDiscussing how organisations can mitigate security risks brought by third parties in the supply chain.

What the retail sector can learn from supply chain disruptionConsidering what retailers can learn from supply chain disruption.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.

Related Topics

Cyber Security
Software Security
Supply Chain

Related Stories

Cybersecurity

Fully Homomorphic Encryption (FHE) with silicon photonics – the future of secure computing

Nick New, CEO and founder of Optalysys, walks us through the opportunities and challenges in implementing Fully Homomorphic Encryption (FHE)

Cybersecurity

DFIR and its role in modern cybersecurity 

Here is why digital forensics and incident response (DFIR) is a crucial part of today's cybersecurity ecosystem

Cybersecurity

Will more AI mean more cyberattacks?

An increased use of AI within organisations could spell a rise in cyberattacks, explains Nick Martindale. Here's what you can do

Cybersecurity

Is RaaS becoming commoditised?

Ransomware as a Software (RaaS) lowers the barriers to entry for attackers and has increased competition between criminal groups