Brian Jackson - stock.adobe.com

OSC&R supply chain security framework goes live on Github

The OSC&R framework for understanding and evaluating threats to supply chain security has made its debut on Github to allow anybody to contribute to the framework

The backers of the Open Software Supply Chain Attack Reference (OSC&R) framework for supply chain security has gone live on Github, enabling anybody to contribute to the model.

The MITRE ATT&CK-like framework was launched in February with the stated goal of helping security teams improve their understanding of software supply chain threats, evaluate them and get to grips with them.

Led by Ox Security, an Israel-based supply chain specialist, the project’s backers include David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, co-founder and CEO of Ox Security; Lior Arzi, co-founder and CPO at Ox Security; Hiroki Suezawa, senior security engineer at GitLab; Eyal Paz, head of research at Ox Security; Chenxi Wang, former OWASP global board member; Shai Sivan, CISO at Kaltura; Naor Penso, head of product security at FICO; and Roy Feintuch, former cloud CTO at Check Point.

“After we launched OSC&R we were overwhelmed with emails from people working on elements within OSC&R and wanting to contribute,” said Neatsun Ziv, who served as Check Point’s vice-president of cyber security prior to founding Ox.

By moving to Github and opening the project to contributions we hope to capture this collective knowledge and experience for the benefit of the entire security community.”

At the same time, Visa product security Dineshwar Sahni has also joined the consortium, while former NSA director Mike Rogers, who ran the US intelligence agency from 2014 to 2018, has thrown his backing behind the project.

“Cyber security is a game of cat and mouse,” said Rogers. “Gaining the upper hand requires building a good threat model and OSC&R enables organisations to identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritise remediation methods.”

Sahni added: “In one episode of Star Trek, while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr Spock said, ‘Insufficient facts always invite danger, Captain!’. The same certainly holds true in cyber security, where a lack of information increases vulnerability. By increasing the community’s knowledge, OSC&R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly.”

The framework’s backers believe their project will prove immensely valuable to companies looking to build out their software supply chain security programmes. Among other things, it can help evaluate existing defences, define threat prioritisation criteria, and track the behaviours of attacker groups.

The need for organisations to prioritise the resilience of their software supply chains has been hammered home repeatedly over the past few years, with arguably the most impactful incident being the SolarWinds incident of 2020/1, which began when Russian threat actors compromised the firm’s Orion network management platform and injected backdoor malware which then shipped to customers as a ‘tainted’ update.

History is repeating itself even today, as proved by a still-developing incident at unified comms firm 3CX, which began when a product update was shipped with a security issue that is being exploited by a threat actor with links to the North Korean regime.

Read more about supply chain attacks

Read more on IT risk management