A group of cybersecurity leaders and influencers have joined together to launch an open framework to help security teams improve their understanding of threats. Software supply chainAnd evaluate and grapple with them.
The Open Software Supply Chain Attack Reference, or OSC&R, is a MITER ATT&CK-like framework developed with input from the likes of Check Point, Fortinet, GitLab, Google, Microsoft, OWASP, and others, led by Ox SecurityIsrael based supply chain security specialist.
In light of the growing number of cyber incidents initiated by exploiting vulnerabilities in software, closed or open source, the group believes that experts need a solid framework to understand and measure risk in their supply chain, which until now, they say, has only been through a combination of intuition and lived experience. Can really be done.
“Trying to talk about supply chain security without a general understanding of what constitutes a software supply chain is not productive,” said Nitson Ziv, a former check point The vice-president, who founded Ox Security – which was spun off from Stealth in September 2022 backed by $34 million in funding.
“Without an agreed definition of the software supply chain, security strategies are often siloed,” he said.
OSC&R is supposed to help by establishing a common language and framework to help security teams understand and analyze the techniques, tactics and procedures (TTPs) that threat actors use to compromise downstream victims through their software supply chain.
structure, Which is set out in more detail hereAlready available and ready to use to help teams assess their defenses, define which threats they should prioritize, understand how their existing security postures can address said threats, and track attacker behaviors.
Its supporters hope to update it as new TTPs emerge and develop, and eventually plan to support the framework. Red-teaming activities Helps determine opportunities for practice, serving as a kind of scorecard during and after such exams. It is open to contributions from other security practitioners, if they wish.
“OSC&R helps security teams build their security strategy with confidence,” said Hiroki Suezawa, senior security engineer. gitlab. “We wanted to give the security community a single reference to proactively evaluate their own strategies for securing their software supply chains and compare solutions.”
Need more work?
Tim McKee, head of software supply chain risk strategy Synopsis Software Integrity GroupSays the project has a lot of potential, but needs more work.
Because software supply chains tend to be complex thanks to the multiple relationships between developers, infrastructure providers, data processors, and software operators, the underlying risks are deeply intertwined and difficult to quantify.
“The OSC&R model proposed by the Pipeline Bill of Materials [PBOM] Community is a way of describing vulnerabilities in the form of an attack model. In its current state, however, it lacks significant detail to describe examples of possible attacks, mitigations and detections,” he said.
“It will be interesting to see how OSC&R evolves, and how it ultimately aligns with proven models like MITER ATT&CK where it is possible that OSC&R compromises could represent a richer level of granularity than currently exists for the software supply chain.”