SD Occasions Open-Supply Undertaking of the Week: OSC&R Software program Provide Chain Assault Matrix

The OSC&R (Open Software program Provide Chain Assault Reference) is an open supply framework used for understanding and evaluating present threats to total software program provide chain safety.

OSC&R was created to ascertain a normal language and construction for comprehending and evaluating the techniques, strategies, and procedures (TTPs) utilized by attackers to breach the safety of software program provide chains. 

The objective is to supply the safety neighborhood with a unified useful resource to guage their very own approaches for securing software program provide chains prematurely and evaluate options, in line with the framework’s founding members. 

“In a single episode of Star Trek, whereas engaged on vulnerabilities of the Enterprise in relation to the menace actor, Mr. Spock stated, ‘Inadequate information all the time invite hazard, Captain!’ The identical actually holds true in cybersecurity, the place a lack of know-how will increase vulnerability. By growing the neighborhood’s data, OSC&R holds great potential to mitigate risks to the software program provide chain and cut back the assault floor extra broadly,” stated Dineshwar Sahni, director of product safety at VISA who additionally simply joined the consortium of cybersecurity leaders behind OSC&R.

OSC&R can be utilized by safety groups to guage present defenses, outline which threats should be prioritized, and the way present protection addresses these threats, in addition to to assist observe the behaviors of attacker teams.

The mission was added to GitHub earlier this week and was additionally not too long ago endorsed by former U.S. Nationwide Safety Company Director Admiral Mike Rogers.