Jürgen Fälchle - stock.adobe.c

OSC&R framework to stop supply chain attacks in the wild

The backers of a new MITRE ATT&CK style framework called OSC&R hope to help organisations get to grips with threats to their software supply chains

A team of cyber security leaders and influencers have joined together to launch an open framework to help security teams improve their understanding of threats to their software supply chains, and evaluate and get to grips with them.

The Open Software Supply Chain Attack Reference, or OSC&R, is a MITRE ATT&CK-like framework created with input from the likes of Check Point, Fortinet, GitLab, Google, Microsoft, OWASP, and others, led by Ox Security, an Israel-based supply chain security specialist.

In light of the growing number of major cyber incidents that began via exploitation of vulnerabilities in software, whether closed or open source, the group believes there is a concrete need for a solid framework to let experts understand and measure their supply chain risk, which up to now, they say, could only really be done via a combination of intuition and lived experience.

“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, a former Check Point vice-president, who founded Ox Security – which emerged from stealth in September 2022 backed by $34m of funding.

“Without an agreed-upon definition of the software supply chain, security strategies are often siloed,” he said.

OSC&R will supposedly help this by establishing a common language and structure to help security teams understand and analyse the tactics, techniques and procedures (TTPs) that threat actors use to compromise downstream victims via their software supply chains.

The framework, which is set out in more detail here, is already available and ready to be used to help teams evaluate their defences, define what threats they need to prioritise, understand how their existing security postures might address said threats, and to help track attacker behaviours.

Its backers hope to update it as new TTPs emerge and evolve, and eventually plan to have the framework assist red-teaming activities by helping set the scope of exercises, serving as a kind of scorecard during and after such testing. It is also open to other security practitioners to contribute to, should they wish.

“OSC&R helps security teams build their security strategy with confidence,” said Hiroki Suezawa, senior security engineer at Gitlab. “We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.”

More work needed?

Tim Mackey, head of software supply chain risk strategy at the Synopsys Software Integrity Group, said that the project held much potential, but that more work needed to be done.

Since software supply chains are prone to complexity thanks to the multiple relationships between developers, infrastructure providers, data processors and software operators, the inherent risks are deeply entwined and difficult to determine.

“The OSC&R model that has been proposed by the Pipeline Bill of Materials [PBOM] community is one way to describe weaknesses in the form of an attack model. In its current state however, it lacks significant detail to describe examples of potential attacks, mitigations and detections,” he said.

“It will be interesting to see how OSC&R evolves, and to see how it ultimately aligns with proven models such as MITRE ATT&CK where it’s possible that OSC&R might represent a richer level of granularity than currently exists for compromise software supply chain.”

Read more about supply chain security

  • It may have hit the headlines as an IT issue, but supply chain security goes far deeper into an organisation than just technology.
  • As the prospect of federally mandated SBOM drives up usage of the software supply chain security tech, the US government's documentation so far adds to risky confusion, experts say.
  • Google’s Software Delivery Shield reduces security risks across the development pipeline, but it also increases developer productivity, according to industry experts.

Read more on Application security and coding requirements

Data Center
Data Management