The founding members of OSC&R (Open Software Supply Chain Attack Reference), the first and only open framework for understanding and evaluating existing threats to entire software supply chain security, announced today that the framework is now on Github, allowing anyone to contribute to the model. OSC&R has also just received the endorsement of former U.S. National Security Agency Director Admiral Mike Rogers, as Dineshwar Sahni joins other prominent industry figures adopting the framework.
Spearheaded by OX Security, OSC&R is a MITRE-like framework designed to provide a common language and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains. It aims to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.
“After we launched OSC&R we were overwhelmed with emails from people working on elements within OSC&R and wanting to contribute,” said OX Security CEO and co-founder Neatsun Ziv, who served as Check Point’s VP of Cyber Security prior to founding OX. “By moving to Github and opening the project to contributions we hope to capture this collective knowledge and experience for the benefit of the entire security community. It provides real value to the project to now have Mike and Dineshwar as part of the community, as well.”
“Cybersecurity is a game of cat and mouse,” said Mike Rogers. “Gaining the upper hand requires building a good threat model and OSC&R enables organizations to identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritize remediation methods.”
Dineshwar Sahni now joins the consortium of cybersecurity leaders behind OSC&R, which includes: David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.
“In one episode of Star Trek, while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr. Spock said, ‘Insufficient facts always invite danger, Captain!’ The same certainly holds true in cybersecurity, where a lack of information increases vulnerability. By increasing the community’s knowledge, OSC&R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly,” according to Sahni.
For companies looking to build out a software supply chain security program, the OSC&R framework can help guide the effort. OSC&R can be used by security teams to evaluate existing defenses, define which threats need to be prioritized, and how existing coverage addresses those threats, as well as to help track the behaviors of attacker groups.
Founding members of OSC&R share a common mission of helping security teams reduce their attack surface and build their security strategy with confidence. “The velocity, diversity, and dynamic nature of the modern-day engineering ecosystem have reshaped the Software Supply Chain Security domain,” said David Cross, former Microsoft and Google cloud security executive and founding member of OSC&R. “Tools that standardize on OSC&R will provide continuity and cohesiveness that many security strategies are often lacking.”