Cybersecurity Leaders Launch First Attack Matrix For Software Supply Chain Security


Current and former cybersecurity leaders from Microsoft, Google, GitLab, Check Point, OWASP, Fortinet and others have already joined the open framework initiative, which OX Security is leading.

OX Security, the first end-to-end software supply chain security solution, announced the launch of OSC&R (Open Software Supply Chain Attack Reference), the first and only open framework for understanding and evaluating existing threats to entire software supply chain security.

The founding consortium of cybersecurity leaders behind OSC&R includes David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.

Discussions with hundreds of industry leaders revealed that there was a very concrete need for a MITRE-like framework that would allow experts to understand better and measure supply chain risk, a process that until now could only be based on intuition and experience. OSC&R is designed to provide a common language and structure for understanding and analysing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, who served as Check Point’s VP of Cyber Security before founding OX. “Without an agreed-upon definition of the software supply chain, security strategies are often siloed.”

OSC&R is now ready to be used by security teams to evaluate existing defences and define which threats need to be prioritised, and how existing coverage addresses those threats, as well as to help track behaviours of attacker groups.

“OSC&R helps security teams build their security strategy with confidence,” said Hiroki Suezawa, Senior Security Engineer at Gitlab. “We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions,” he continued.

The OSC&R framework will update as new tactics and techniques emerge and evolve. It will also assist red-teaming activities by helping set the scope required for a pentest or a red team exercise, serving as a scorecard both during and after the test. The framework will also now be open for other cybersecurity leaders and practitioners to contribute to OSC&R.

“I believe the OSC&R framework will help organisations reduce their attack surface,” said Naor Penso, Head of Product Security at FICO. “I am proud to take part in a project that can have such a major impact on the future security landscape and to share our knowledge and expertise.”