OSC&R supply chain security framework goes live on Github
The backers of the Open Software Supply Chain Attack Reference (OSC&R) framework for supply chain security has gone live on Github, enabling anyone to contribute to the mannequin.
The MITRE ATT&CK-like framework was launched in February with the said aim of serving to security groups enhance their understanding of software program supply chain threats, consider them and familiarize yourself with them.
Led by Ox Security, an Israel-based supply chain specialist, the undertaking’s backers embrace David Cross, former Microsoft and Google cloud security government; Neatsun Ziv, co-founder and CEO of Ox Security; Lior Arzi, co-founder and CPO at Ox Security; Hiroki Suezawa, senior security engineer at GitLab; Eyal Paz, head of analysis at Ox Security; Chenxi Wang, former OWASP world board member; Shai Sivan, CISO at Kaltura; Naor Penso, head of product security at FICO; and Roy Feintuch, former cloud CTO at Check Point.
“After we launched OSC&R we were overwhelmed with emails from people working on elements within OSC&R and wanting to contribute,” mentioned Neatsun Ziv, who served as Check Point’s vice-president of cyber security previous to founding Ox.
“By moving to Github and opening the project to contributions we hope to capture this collective knowledge and experience for the benefit of the entire security community.”
At the identical time, Visa product security Dineshwar Sahni has additionally joined the consortium, whereas former NSA director Mike Rogers, who ran the US intelligence company from 2014 to 2018, has thrown his backing behind the undertaking.
“Cyber security is a game of cat and mouse,” mentioned Rogers. “Gaining the upper hand requires building a good threat model and OSC&R enables organisations to identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritise remediation methods.”
Sahni added: “In one episode of Star Trek, while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr Spock said, ‘Insufficient facts always invite danger, Captain!’. The same certainly holds true in cyber security, where a lack of information increases vulnerability. By increasing the community’s knowledge, OSC&R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly.”
The framework’s backers imagine their undertaking will show immensely beneficial to corporations trying to construct out their software program supply chain security programmes. Among different issues, it could assist consider current defences, outline menace prioritisation standards, and observe the behaviours of attacker teams.
The want for organisations to prioritise the resilience of their software program supply chains has been hammered residence repeatedly over the previous few years, with arguably essentially the most impactful incident being the SolarWinds incident of 2020/1, which started when Russian menace actors compromised the agency’s Orion community administration platform and injected backdoor malware which then shipped to clients as a ‘tainted’ replace.
History is repeating itself even at this time, as proved by a still-developing incident at unified comms agency 3CX, which started when a product replace was shipped with a security situation that’s being exploited by a menace actor with hyperlinks to the North Korean regime.
