Meet OSC&R: The First Attack Matrix for Software Supply Chain Security

PBOM pipeline bill of materials

Current and former cybersecurity leaders from Microsoft, Google, GitLab, Check Point, OWASP, Fortinet and others have already joined the open framework initiative, which is being led by OX Security

“Are we protected?” is a simple question your CEO may ask after reading about the latest cyber attack. The honest answer is “I don’t know” because there was no MITRE-like framework for understanding attackers’ techniques, tactics and procedures used by adversaries to compromise the security of software supply chains. 

Until now.

Meet OSC&R!

Led by OX Security, a group of current and former top cyber security experts from companies like Google, GitLab, FICO, Check Point, and Fortinet have come together to launch the Open Software Supply Chain Attack Reference (OSC&R) framework, the first and only open framework for understanding and evaluating existing threats to entire software supply chain security. 

The founding consortium of cybersecurity leaders behind OSC&R include: David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.

Discussions with hundreds of industry leaders revealed that there was a very concrete need for a MITRE-like framework that would allow experts to better understand and measure supply chain risk, a process that until now could only be  based on intuition and experience. OSC&R is designed to provide a common language  and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, who served as Check Point’s VP of Cyber Security before founding OX. “Without an agreed-upon definition of the software supply chain, security strategies are often siloed.”

OSC&R can be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups. 

“OSC&R helps security teams build their security strategy with confidence,” said Hiroki Suezawa, Senior Security Engineer at Gitlab. “We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions,” he continued.

The OSC&R framework will update as new tactics and techniques emerge and evolve. It will also assist red-teaming activities by helping set the scope required for a pentest or a red team exercise, serving as a scorecard both during and after the test. The framework will also now be open for other cybersecurity leaders and practitioners to contribute to OSC&R. 

“I believe the OSC&R framework will help organizations reduce their attack surface,” said Naor Penso, Head of Product Security at FICO. “I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”


The OSC&R framework is now online:

Subscribe for updates