OX Security, a software supply chain security provider, has launched its Open Software Supply Chain Attack Reference (OSC&R), a MITRE-like framework for security experts to understand and evaluate existing threats to the software supply chain.
Protecting Against Supply Chain Hackers
OSC&R provides a common language and structure to understand and analyze the tactics, techniques, and procedures (TTPs) supply chain hackers use. The platform enables security teams to evaluate and define:
- Supply chain threat priorities
- How existing coverage addresses the threats
- Track behaviors of attacker groups
The matrix framework is available for other cybersecurity leaders and practitioners to contribute to OSC&R. The founders will update the OSC&R framework as new TTPs surface, OX said. OSC&R is also designed to help red-team exercises by helping set the scope required for a pentest or a red team activity, serving as a scorecard both during and after the test.
Cyber Leaders Back OSC&R
The founding consortium of 10 cybersecurity leaders supporting OSC&R include:
- David Cross, former Microsoft and Google cloud security executive
- Neatsun Ziv, Co-Founder and CEO of OX Security
- Lior Arzi, Co-Founder and CPO at OX Security
- Hiroki Suezawa, Senior Security Engineer at GitLab
- Eyal Paz, Head of Research at OX Security
- Phil Quade, former CISO at Fortinet
- Dr. Chenxi Wang, former OWASP Global Board member
- Shai Sivan, CISO at Kaltura
- Naor Penso, Head of Product Security at FICO
- Roy Feintuch, former Cloud CTO at Check Point Technologies
"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Ziv, who served as Check Point's vice president of cybersecurity before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."