With the entire software supply chain being increasingly targeted by threat actors, there emerged the need for a MITRE ATT&CK-like security framework that would allow experts to better understand and measure risk — a process that until now could only be based on intuition and experience.
OSC&R is designed to provide a common language and structure for understanding and analysing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.
The founding consortium of cybersecurity leaders behind OSC&R include:
- Neatsun Ziv, co-founder and CEO of OX Security;
- David Cross, former Microsoft and Google Cloud security executive;
- Hiroki Suezawa, senior security engineer at GitLab;
- Naor Penso, head of product security at FICO;
- Phil Quade, former CISO at Fortinet.
The matrix, which is set to be updated as cyber attacks continue to evolve, is now prepared to be used by security teams to evaluate existing defences and define which threats need to be prioritised.
Additionally, security teams will be able to better understand how existing coverage addresses those threats, and learn how to help track behaviours of attacker groups.
“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, co-founder and CEO of OX Security.
“Without an agreed-upon definition of the software supply chain, security strategies are often siloed.”
Hiroki Suezawa, senior security engineer at Gitlab, commented: “OSC&R helps security teams build their security strategy with confidence.
“We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.”
Naor Penso, head of product security at FICO, added: “I believe the OSC&R framework will help organisations reduce their attack surface.
“I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”
The new OSC&R framework can now be found online, here.
Considering security risks from third parties in the supply chain — Discussing how organisations can mitigate security risks brought by third parties in the supply chain.
What the retail sector can learn from supply chain disruption — Considering what retailers can learn from supply chain disruption.