A new open framework seeks to outline a comprehensive and actionable way for enterprises and security teams to understand the behaviors and techniques of attackers that have a particular impact on the software supply chain. The Open Software Supply Chain Attack Reference (OSC&R) initiative, led by OX Security, assesses software supply chain security threats and covers a wide range of attacks, including vulnerabilities in third-party libraries and components, and supply chain attacks against build and deployment systems. Cover vector. Compromised or Malicious Software Updates. Cybersecurity experts in Matrix’s founding consortium include representatives from GitLab, as well as former leaders from Microsoft, Google Cloud, Check Point Technologies, and OWASP.
OSC&R addresses the need for a MITER-like security framework for the software supply chain
The OSC&R Framework was created to address the need for frameworks like MITER ATT&CK to help professionals better understand and measure software supply chain risk. Neatsun Ziv, founder of OX Security, told CSO. “In other areas, such as endpoints and ransomware, there are good frameworks that give us a complete picture of the threat,” he says. “There is absolutely no understanding in the industry when it comes to the software supply chain. and incorporate it into a framework that can be used to understand what they are exposed to. Try to understand how to address them in an expedited manner.”
Hiroki Suezawa, senior security engineer at GitLab, says the framework will help the security community actively evaluate their own strategies for securing their software supply chain, compare solutions, and help security teams gain confidence. It provides a single point of reference to help you build your security strategy.
The OSC&R framework focuses on software supply chain attack methods
The OSC&R framework focuses on the attack kill chain and the processes attackers employ to carry out software supply chain attacks, says Ziv. The OSC&R framework follows the steps attackers take, gives defenders visibility they don’t currently need, helps defenders protect themselves, where their vulnerabilities lie, and where they focus their efforts. It helps us understand what to do,” he adds.
Security teams use OSC&R to assess existing defenses, define which threats need to be prioritized, how existing coverage addresses those threats, It can help you track your behavior. It will be updated regularly as new tactics and techniques emerge and evolve, helping set the necessary scope for pentesting and red teaming exercises, and serving as a scorecard both during and after testing. , to support red team activities.
About 20 companies have contributed to the framework as part of the working group, which aims to open up the framework for wider industry contributions in the coming months, OX security consultant Yeal Citro told CSO. “Everyone will be able to share their knowledge and expertise and experience. That’s what the project is all about,” she adds.
Software supply chain security remains a key challenge
As breaches and risks associated with the software supply chain continue to impact organizations around the world, software supply chain security has become a critical issue for enterprises and the security industry. Last September, the U.S. National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) published Securing the Software Supply Chain: A Recommended Practices Guide for Developers. . This publication emphasizes the role developers play in creating secure software and provides guidance along industry best practices and principles that software developers are strongly encouraged to refer to.
In July, the Center for Internet Security published similar best practice guidance for securing each phase of the software supply chain. Rezilion launched Dynamic SBOM (Software Bill of Materials) in May. It is an application designed to plug into an organization’s software environment and examine how multiple components are performing at runtime to uncover bugs and vulnerabilities.
Copyright © 2023 IDG Communications, Inc.
