The OSC&R Framework aims to help security professionals better understand and measure software supply chain risk. Credit: Roman Samborskyi / Shutterstock A new open framework has been launched to outline a comprehensive and actionable way for businesses and security teams to understand attacker behaviors and techniques specifically impacting the software supply chain. The Open Software Supply Chain Attack Reference (OSC&R) initiative, led by OX Security, evaluates software supply chain security threats, covering a wide range of attack vectors including vulnerabilities in third-party libraries and components, supply chain attacks on build and deployment systems, and compromised or malicious software updates. Cybersecurity professionals among the matrix’s founding consortium include representatives from GitLab as well as former leaders from Microsoft, Google Cloud, Check Point Technologies, and OWASP.OSC&R addresses need for MITRE-like security framework for software supply chainThe OSC&R framework has been created to address the need for a MITRE ATT&CK-like framework that allows experts to better understand and measure software supply chain risk, Neatsun Ziv, founder of OX Security, tells CSO. “In other fields, let’s say endpoint and ransomware, there are great frameworks that give a full view of the threat landscape,” he says. “When it comes to the software supply chain, there is no understanding whatsoever in the industry. What we’re trying to do is take all the information that is out there and build it into a framework that every practitioner will be able to use to assess what they’re currently doing in terms of the software supply chain, understand what their exposures are, and try to understand how to address them in a rapid way.”Hiroki Suezawa, senior security engineer at GitLab, stated that the framework gives the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions to help security teams build their security strategy with confidence. OSC&R framework focuses on software supply chain attack methodsThe OSC&R framework focuses on attack kill chains and the processes adversaries employ to carryout software supply chain attacks, Ziv says. The OSC&R framework follows the steps attackers take and gives defenders visibility they currently do not have to help them secure themselves and understand where they are vulnerable and should focus their efforts,” he adds. OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups. It will regularly update as new tactics and techniques emerge and evolve and will assist red-teaming activities by helping set the scope required for a pen test or a red team exercise, serving as a scorecard both during and after the test.Around 20 companies are contributing to the framework as part of a working group, with the aim to open it out for wider industry contribution in the next few months, Yael Citro, OX Security consultant, tells CSO. “Everyone will be able to share their knowledge and expertise and experience – that is really where the project is headed,” she adds. Software supply chain security still high on the agendaSoftware supply chain security is high on the agenda for businesses and the security industry as software supply chain-related compromises and risks continue to impact organizations across the globe. In September last year, the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) published Securing the Software Supply Chain: Recommended Practices Guide for Developers. The publication emphasizes the role developers play in creating secure software and provides guidance in line with industry best practices and principles which software developers are strongly encouraged to reference.In July, the Center for Internet Security published similar best practice guidance for securing each phase of the software supply chain. In May, Rezilion launched Dynamic SBOM (software bill of materials), an application designed to plug into an organization’s software environment to examine how multiple components are being executed in runtime, and reveal bugs and vulnerabilities. Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe