Industry-first software supply chain security framework launched

Security leaders have launched the Open Software Supply Chain Attack Reference (OSC&R), to help organisations gain better understanding of evolving supply chain threats and how to mitigate them

With the entire software supply chain being increasingly targeted by threat actors, there emerged the need for a MITRE ATT&CK-like security framework that would allow experts to better understand and measure risk — a process that until now could only be based on intuition and experience.

OSC&R is designed to provide a common language and structure for understanding and analysing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

The founding consortium of cybersecurity leaders behind OSC&R include:

The matrix, which is set to be updated as cyber attacks continue to evolve, is now prepared to be used by security teams to evaluate existing defences and define which threats need to be prioritised.

Additionally, security teams will be able to better understand how existing coverage addresses those threats, and learn how to help track behaviours of attacker groups.

It will also assist red-teaming activities by helping set the scope required for a penetration test or a red team exercise, serving as a scorecard both during and after the test.

“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, co-founder and CEO of OX Security.

“Without an agreed-upon definition of the software supply chain, security strategies are often siloed.”

Hiroki Suezawa, senior security engineer at Gitlab, commented: “OSC&R helps security teams build their security strategy with confidence.

“We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.”

Naor Penso, head of product security at FICO, added: “I believe the OSC&R framework will help organisations reduce their attack surface.

“I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”

The new OSC&R framework can now be found online, here.


Considering security risks from third parties in the supply chainDiscussing how organisations can mitigate security risks brought by third parties in the supply chain.

What the retail sector can learn from supply chain disruptionConsidering what retailers can learn from supply chain disruption.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.