The first end-to-end software supply chain security solution, OX Security, officially announced the release of OSC&R (Open Software Supply Chain Attack Reference), the first and only open framework for comprehending and assessing current risks to the security of the whole software supply chain.
The founding consortium of cybersecurity leaders behind OSC&R includes David Cross, former Microsoft, and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.
There was a real need for a MITRE-like framework that would enable specialists to assess and evaluate supply chain risk more accurately. Until now, this process could only rely on intuition and experience, according to conversations with hundreds of industry executives. To comprehend and analyze the tactics, methods, and procedures (TTPs) employed by attackers to breach the security of software supply chains, OSC&R is created to give a standard language and framework.
Neatsun Ziv, who was Check Point’s VP of Cyber Security before starting OX, said that talking about supply chain security without an accumulated understanding of the software supply chain is ineffective. Security methods are often classed without a consensus definition of the software supply chain.
Security teams may now utilize OSC&R to assess current defenses, determine which threats need to be prioritized, how existing coverage meets those risks, and assist in observing the actions of attacker groups.
According to Hiroki Suezawa, Senior Security Engineer at Gitlab, “OSC&R helps security teams create their security strategy with confidence.” We wanted to provide the security community with a single point of reference so they could compare solutions and proactively evaluate their methods for safeguarding their software supply chains, Suezawa added.
The OSC&R framework will be updated to account for the appearance of new strategies and methods as they develop. It will also aid with red-teaming activities by setting the scope necessary for a pentest or a red team exercise and acting as a scorecard both during and after the test. This will support red-teaming operations. In addition, the framework will now be available for additional leaders and practitioners in the field of cybersecurity to contribute to OSC&R.
Naor Penso, Head of Product Security at FICO, believes that the OSC&R framework will help firms decrease their attack surface. “I think the OSC&R framework will help organizations reduce their attack surface,” “I am glad to offer our knowledge and skills as part of a project that has the potential to have such a significant influence on the future landscape of security,” you say. “I am also delighted to take part in this initiative.”
