Threat Intelligence, Content, Security Program Controls/Technologies

OX Security Launches Open Framework to Evaluate Threats to Supply Chain

Credit: Getty Images

OX Security, a software supply chain security provider, has launched its Open Software Supply Chain Attack Reference (OSC&R), a MITRE-like framework for security experts to understand and evaluate existing threats to the software supply chain.

Protecting Against Supply Chain Hackers

OSC&R provides a common language and structure to understand and analyze the tactics, techniques, and procedures (TTPs) supply chain hackers use. The platform enables security teams to evaluate and define:

  • Supply chain threat priorities
  • How existing coverage addresses the threats
  • Track behaviors of attacker groups

The matrix framework is available for other cybersecurity leaders and practitioners to contribute to OSC&R. The founders will update the OSC&R framework as new TTPs surface, OX said. OSC&R is also designed to help red-team exercises by helping set the scope required for a pentest or a red team activity, serving as a scorecard both during and after the test.

Cyber Leaders Back OSC&R

The founding consortium of 10 cybersecurity leaders supporting OSC&R include:

  • David Cross, former Microsoft and Google cloud security executive
  • Neatsun Ziv, Co-Founder and CEO of OX Security
  • Lior Arzi, Co-Founder and CPO at OX Security
  • Hiroki Suezawa, Senior Security Engineer at GitLab
  • Eyal Paz, Head of Research at OX Security
  • Phil Quade, former CISO at Fortinet
  • Dr. Chenxi Wang, former OWASP Global Board member
  • Shai Sivan, CISO at Kaltura
  • Naor Penso, Head of Product Security at FICO
  • Roy Feintuch, former Cloud CTO at Check Point Technologies

"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Ziv, who served as Check Point's vice president of cybersecurity before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."