The OSC&R Framework aims to help security professionals better understand and measure software supply chain risk. Credit: Roman Samborskyi / Shutterstock A new open framework has been launched to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack Reference (OSC&R) initiative, led by OX Security, evaluates software supply chain security threats, covering a wide range of attack vectors including vulnerabilities in third-party libraries and components, supply chain attacks on build and deployment systems, and compromised or malicious software updates. Cybersecurity professionals among the matrix’s founding consortium include representatives from GitLab as well as former leaders from Microsoft, Google Cloud, Check Point Technologies, and OWASP.OSC&R addresses need for MITRE-like security framework for software supply chainThe OSC&R framework has been created to address the need for a MITRE ATT&CK-like framework that allows experts to better understand and measure software supply chain risk, Neatsun Ziv, founder of OX Security, tells CSO. “In other fields, let’s say endpoint and ransomware, there are great frameworks that give a full view of the threat landscape,” he says. “When it comes to the software supply chain, there is no understanding whatsoever in the industry. What we’re trying to do is take all the information that is out there and build it into a framework that every practitioner will be able to use to assess what they’re currently doing in terms of the software supply chain, understand what their exposures are, and try to understand how to address them in a rapid way.”Hiroki Suezawa, senior security engineer at GitLab, stated that the framework gives the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions to help security teams build their security strategy with confidence.OSC&R framework focuses on software supply chain attack methodsThe OSC&R framework focuses on attack kill chains and the processes adversaries employ to carryout software supply chain attacks, Ziv says. The OSC&R framework follows the steps attackers take and gives defenders visibility they currently do not have to help them secure themselves and understand where they are vulnerable and should focus their efforts,” he adds. OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups. It will regularly update as new tactics and techniques emerge and evolve and will assist red-teaming activities by helping set the scope required for a pen test or a red team exercise, serving as a scorecard both during and after the test.Around 20 companies are contributing to the framework as part of a working group, with the aim to open it out for wider industry contribution in the next few months, Yael Citro, OX Security consultant, tells CSO. “Everyone will be able to share their knowledge and expertise and experience – that is really where the project is headed,” she adds. Software supply chain security still high on the agendaSoftware supply chain security is high on the agenda for businesses and the security industry as software supply chain-related compromises and risks continue to impact organizations across the globe. In September last year, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) published Securing the Software Supply Chain: Recommended Practices Guide for Developers. The publication emphasizes the role developers play in creating secure software and provides guidance in line with industry best practices and principles which software developers are strongly encouraged to reference.In July, the Center for Internet Security published similar best practice guidance for securing each phase of the software supply chain. In May, Rezilion launched Dynamic SBOM (software bill of materials), an application designed to plug into an organization’s software environment to examine how multiple components are being executed in runtime, and reveal bugs and vulnerabilities. Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe