Home » Topics » Cybersecurity » Industry-first software supply chain security framework launched

Industry-first software supply chain security framework launched

Security teams will now be able to gain a better understanding of how best to mitigate attacks on the software supply chain.

Avatar photoby Aaron Hurst

Security leaders have launched the Open Software Supply Chain Attack Reference (OSC&R), to help organisations gain better understanding of evolving supply chain threats and how to mitigate them

With the entire software supply chain being increasingly targeted by threat actors, there emerged the need for a MITRE ATT&CK-like security framework that would allow experts to better understand and measure risk — a process that until now could only be based on intuition and experience.

OSC&R is designed to provide a common language and structure for understanding and analysing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

The founding consortium of cybersecurity leaders behind OSC&R include:

The matrix, which is set to be updated as cyber attacks continue to evolve, is now prepared to be used by security teams to evaluate existing defences and define which threats need to be prioritised.

Additionally, security teams will be able to better understand how existing coverage addresses those threats, and learn how to help track behaviours of attacker groups.

It will also assist red-teaming activities by helping set the scope required for a penetration test or a red team exercise, serving as a scorecard both during and after the test.

“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, co-founder and CEO of OX Security.

“Without an agreed-upon definition of the software supply chain, security strategies are often siloed.”

Hiroki Suezawa, senior security engineer at Gitlab, commented: “OSC&R helps security teams build their security strategy with confidence.

“We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.”

Naor Penso, head of product security at FICO, added: “I believe the OSC&R framework will help organisations reduce their attack surface.

“I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”

The new OSC&R framework can now be found online, here.

Related:

Considering security risks from third parties in the supply chainDiscussing how organisations can mitigate security risks brought by third parties in the supply chain.

What the retail sector can learn from supply chain disruptionConsidering what retailers can learn from supply chain disruption.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.

Related Topics

Cyber Security
Software Security
Supply Chain

Related Stories

Cybersecurity

What can my organisation do about DDoS threats?

Nick Martindale looks into emerging DDoS attacks, what your organisation can do to reduce the threat, and the role that AI could play

Cybersecurity

CrowdStrike – what your organisation should do now

Nick Martindale explores what your organisation could do to handle another incident similar to CrowdStrike

Cybersecurity

Why the next Ashley Madison is just around the corner

Jason Haworth, Chief Product Officer at Botguard, urges businesses to take steps to avoid falling victim to the next big data breach

Cybersecurity

Fully Homomorphic Encryption (FHE) with silicon photonics – the future of secure computing

Nick New, CEO and founder of Optalysys, walks us through the opportunities and challenges in implementing Fully Homomorphic Encryption (FHE)