OX Security, a software supply chain security provider, has launched its Open Software Supply Chain Attack Reference (OSC&R), a MITRE-like framework for security experts to understand and evaluate existing threats to the software supply chain.Supply chain threat priorities How existing coverage addresses the threats Track behaviors of attacker groups The matrix framework is available for other cybersecurity leaders and practitioners to contribute to OSC&R. The founders will update the OSC&R framework as new TTPs surface, OX said. OSC&R is also designed to help red-team exercises by helping set the scope required for a pentest or a red team activity, serving as a scorecard both during and after the test.David Cross, former Microsoft and Google cloud security executive Neatsun Ziv, Co-Founder and CEO of OX Security Lior Arzi, Co-Founder and CPO at OX Security Hiroki Suezawa, Senior Security Engineer at GitLab Eyal Paz, Head of Research at OX Security Phil Quade, former CISO at Fortinet Dr. Chenxi Wang, former OWASP Global Board member Shai Sivan, CISO at Kaltura Naor Penso, Head of Product Security at FICO Roy Feintuch, former Cloud CTO at Check Point Technologies
Protecting Against Supply Chain Hackers
OSC&R provides a common language and structure to understand and analyze the tactics, techniques, and procedures (TTPs) supply chain hackers use. The platform enables security teams to evaluate and define:Cyber Leaders Back OSC&R
The founding consortium of 10 cybersecurity leaders supporting OSC&R include:"Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn't productive," said Ziv, who served as Check Point's vice president of cybersecurity before founding OX. "Without an agreed-upon definition of the software supply chain, security strategies are often siloed."
