OX Security, a software supply chain security provider, has launched its Open Software Supply Chain Attack Reference (OSC&R), a MITRE-like framework for security experts to understand and evaluate existing threats to the software supply chain.
Protecting Against Supply Chain Hackers
OSC&R provides a common language and structure to understand and analyze the tactics, techniques, and procedures (TTPs) supply chain hackers use. The platform enables security teams to evaluate and define:
Supply chain threat prioritiesHow existing coverage addresses the threatsTrack behaviors of attacker groups The matrix framework is available for other cybersecurity leaders and practitioners to contribute to OSC&R. The founders will update the OSC&R framework as new TTPs surface, OX said. OSC&R is also designed to help red-team exercises by helping set the scope required for a pentest or a red team activity, serving as a scorecard both during and after the test.
Cyber Leaders Back OSC&R
The founding consortium of 10 cybersecurity leaders supporting OSC&R include:
David Cross, former Microsoft and Google cloud security executiveNeatsun Ziv, Co-Founder and CEO of OX SecurityLior Arzi, Co-Founder and CPO at OX SecurityHiroki Suezawa, Senior Security Engineer at GitLabEyal Paz, Head of Research at OX SecurityPhil Quade, former CISO at FortinetDr. Chenxi Wang, former OWASP Global Board memberShai Sivan, CISO at KalturaNaor Penso, Head of Product Security at FICORoy Feintuch, former Cloud CTO at Check Point Technologies "Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Ziv, who served as Check Point's vice president of cybersecurity before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."