OSC&R (Open Software Supply Chain Attack Reference) is an open framework for understanding and evaluating software supply chain security threats. It has received the endorsement of former U.S. NSA Director Admiral Mike Rogers, and is now available on GitHub.
Spearheaded by OX Security, OSC&R is a MITRE-like framework designed to provide a common language and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains. It aims to give the security community a single point of reference to proactively assess their strategies for securing their software supply chains and to compare solutions.
“After we launched OSC&R we were overwhelmed with emails from people working on elements within OSC&R and wanting to contribute,” said Neatsun Ziv, CEO at OX Security. “By moving to GitHub and opening the project to contributions we hope to capture this collective knowledge and experience for the benefit of the entire security community. It provides real value to the project to now have Mike and Dineshwar as part of the community, as well.”
“Cybersecurity is a game of cat and mouse,” said Mike Rogers. “Gaining the upper hand requires building a good threat model, and OSC&R enables organizations to identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritize remediation methods.”
For companies looking to build out a software supply chain security program, the OSC&R framework can help guide the effort. OSC&R can be used by security teams to evaluate existing defenses, define which threats need to be prioritized, and how existing coverage addresses those threats, as well as to help track the behaviors of attacker groups.
Founding members of OSC&R share a common mission of helping security teams reduce their attack surface and build their security strategy with confidence. “The velocity, diversity, and dynamic nature of the modern-day engineering ecosystem have reshaped the Software Supply Chain Security domain,” said David Cross, former Microsoft and Google cloud security executive and founding member of OSC&R. “Tools that standardize on OSC&R will provide continuity and cohesiveness that many security strategies are often lacking.”