The supporters of the Open Software Supply Chain Attack Reference (CSO&R) for Supply Chain Security has been uploaded to Github, allowing anyone to contribute to the model.
The MITER ATT&CK-like framework was launched in February with the stated goal of helping security teams improve their understanding of, assess, and contain software supply chain threats.
Directed by Beef Safety, an Israel-based supply chain specialist, project backers include David Cross, former head of cloud security at Microsoft and Google; Neatsun Ziv, co-founder and CEO of Ox Security; Lior Arzi, co-founder and CPO at Ox Security; Hiroki Suezawa, senior security engineer at GitLab; Eyal Paz, head of research at Ox Security; Chenxi Wang, former OWASP Global Board Member; Shai Sivan, CISO at Kaltura; Naor Penso, product safety manager at FICO; and Roy Feintuch, former CTO of Cloud at Check Point.
“After launching OSC&R, we were inundated with emails from people working on things within OSC&R who wanted to contribute,” said Neatsun Ziv, who served as Check Point’s vice president of cybersecurity before founding Ox.
“By switching to Github and by opening the project to contributions, we hope to capture this collective knowledge and experience for the benefit of the entire security community.
Meanwhile, Visa product security Dineshwar Sahni also joined the consortium, while former NSA director Mike Rogerswho led the US intelligence agency from 2014 to 2018, lent his support to the project.
“Cybersecurity is a game of cat and mouse,” Rogers said. “Getting the upper hand requires building a good threat model and OSC&R enables organizations to identify security requirements, identify potential security threats and vulnerabilities, quantify the criticality of threats and vulnerabilities, and prioritize remedial methods.”
Sahni added, “In an episode of Star Trek, while working on the Enterprise’s vulnerabilities to the threat actor, Mr. Spock said, ‘Insufficient facts always invite danger, Captain!’ “. The same is certainly true in the field of cybersecurity, where the lack of information increases vulnerability. By increasing community knowledge, OSC&R holds enormous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly.
The framework’s backers believe their project will prove extremely valuable to companies looking to scale their software supply chain security programs. Among other things, it can help assess existing defenses, set criteria for prioritizing threats, and track attacker group behaviors.
The need for organizations to prioritize the resilience of their software supply chains has been hammered home repeatedly over the past few years, with arguably the most impactful incident being the SolarWinds incident of 2020/1which began when Russian threat actors compromised the company’s Orion networking platform and injected backdoor malware that was then shipped to customers as a “tainted” update .
History repeats itself today, as evidenced by an incident still in development within the unified communications company 3CXwhich began when a product update shipped with a security issue exploited by a threat actor with ties to the North Korean regime.