Threat Intelligence, Content, Security Program Controls/Technologies

OX Security Launches Open Framework to Evaluate Threats to Supply Chain

Credit: Getty Images

OX Security, a software supply chain security provider, has launched its Open Software Supply Chain Attack Reference (OSC&R), a MITRE-like framework for security experts to understand and evaluate existing threats to the software supply chain.

Protecting Against Supply Chain Hackers

OSC&R provides a common language and structure to understand and analyze the tactics, techniques, and procedures (TTPs) supply chain hackers use. The platform enables security teams to evaluate and define:

  • Supply chain threat priorities
  • How existing coverage addresses the threats
  • Track behaviors of attacker groups

The matrix framework is available for other cybersecurity leaders and practitioners to contribute to OSC&R. The founders will update the OSC&R framework as new TTPs surface, OX said. OSC&R is also designed to help red-team exercises by helping set the scope required for a pentest or a red team activity, serving as a scorecard both during and after the test.

Cyber Leaders Back OSC&R

The founding consortium of 10 cybersecurity leaders supporting OSC&R include:

  • David Cross, former Microsoft and Google cloud security executive
  • Neatsun Ziv, Co-Founder and CEO of OX Security
  • Lior Arzi, Co-Founder and CPO at OX Security
  • Hiroki Suezawa, Senior Security Engineer at GitLab
  • Eyal Paz, Head of Research at OX Security
  • Phil Quade, former CISO at Fortinet
  • Dr. Chenxi Wang, former OWASP Global Board member
  • Shai Sivan, CISO at Kaltura
  • Naor Penso, Head of Product Security at FICO
  • Roy Feintuch, former Cloud CTO at Check Point Technologies

"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Ziv, who served as Check Point's vice president of cybersecurity before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.