June 16, 2024

OSC&R framework to stop supply chain attacks in the wild

4 min read



A workforce of cyber safety leaders and influencers have joined together to launch an open up framework to support stability groups strengthen their comprehension of threats to their software package source chains, and evaluate and get to grips with them.

The Open Computer software Source Chain Assault Reference, or OSC&R, is a MITRE ATT&CK-like framework established with enter from the likes of Check Issue, Fortinet, GitLab, Google, Microsoft, OWASP, and other individuals, led by Ox Security, an Israel-centered provide chain safety expert.

In gentle of the expanding number of big cyber incidents that started by way of exploitation of vulnerabilities in software package, no matter if shut or open supply, the group thinks there is a concrete require for a reliable framework to allow specialists fully grasp and measure their source chain threat, which up to now, they say, could only genuinely be finished by means of a mixture of intuition and lived encounter.

“Trying to chat about provide chain protection without having a common knowledge of what constitutes the software program source chain is not effective,” mentioned Neatsun Ziv, a former Check Point vice-president, who founded Ox Safety – which emerged from stealth in September 2022 backed by $34m of funding.

“Without an agreed-upon definition of the application supply chain, security procedures are generally siloed,” he said.

OSC&R will supposedly assistance this by creating a widespread language and composition to assistance security teams fully grasp and analyse the methods, strategies and methods (TTPs) that menace actors use to compromise downstream victims via their application supply chains.

The framework, which is established out in additional element here, is presently offered and completely ready to be utilized to support groups consider their defences, outline what threats they need to prioritise, comprehend how their existing stability postures could possibly address reported threats, and to aid observe attacker behaviours.

Its backers hope to update it as new TTPs arise and evolve, and at some point system to have the framework aid pink-teaming functions by assisting set the scope of exercises, serving as a form of scorecard for the duration of and following this sort of screening. It is also open up to other safety practitioners to lead to, really should they desire.

“OSC&R assists safety teams create their stability method with self-assurance,” reported Hiroki Suezawa, senior protection engineer at Gitlab. “We needed to give the safety neighborhood a solitary place of reference to proactively evaluate their have techniques for securing their computer software supply chains and to evaluate methods.”

A lot more function needed?

Tim Mackey, head of software package offer chain chance system at the Synopsys Computer software Integrity Group, explained that the undertaking held a lot prospective, but that more perform needed to be performed.

Considering the fact that application offer chains are vulnerable to complexity many thanks to the several interactions involving builders, infrastructure providers, knowledge processors and computer software operators, the inherent hazards are deeply entwined and tough to figure out.

“The OSC&R model that has been proposed by the Pipeline Invoice of Products [PBOM] group is one particular way to describe weaknesses in the type of an attack product. In its latest condition nevertheless, it lacks significant depth to explain illustrations of opportunity assaults, mitigations and detections,” he reported.

“It will be interesting to see how OSC&R evolves, and to see how it ultimately aligns with verified versions these as MITRE ATT&CK wherever it is achievable that OSC&R may possibly symbolize a richer amount of granularity than at present exists for compromise program offer chain.”


Supply hyperlink Security has become an essential part of our lives, especially when it comes to supply chains. In recent years, we have seen a significant increase in the number of attacks on the global supply chain, resulting in the loss of valuable resources, data, and money. To address this problem, researchers have proposed an innovative framework called the Open Systems and Cybersecurity Risk (OSC&R) that aims to stop these attacks in real-time.

The OSC&R framework is an open-source project that was created in response to the need for better supply chain security. It is designed to identify malicious activities and suspect behaviors before they have a chance to occur. The framework uses multiple interconnected technologies, such as artificial intelligence, blockchain, and machine learning, to detect anomalies and irregularities in the activities of the supply chain system.

The OSC&R framework is designed to monitor the entire supply chain process in real-time. It does this by monitoring all the inputs and events that occur on the supply chain. When anomalies occur, the framework leads to an alert. It also provides a detailed analysis of the events that have occurred and suggests possible scenarios that can be taken to prevent further attack.

To enhance the security of the system, the framework also provides several security mechanisms, such as authentication, authorization, and other access control regulations. Additionally, it enables organizations to control the entities that are connected to their global supply chains. Also, it grants organizations access to both private and public databases in order to gather data and insights about the activities of their supply chains.

The OSC&R framework provides a comprehensive and comprehensive solution for protecting global supply chains from attack. The framework makes it easy for organizations to monitor their supply chains, detect anomalies, and prevent attacks before they occur. As a result, the OSC&R framework is an effective tool for organizations to protect their supply chains from attack.