The OSC&R (Open Software program Provide Chain Assault Reference) is an open supply framework used for understanding and evaluating present threats to total software program provide chain safety.
OSC&R was created to ascertain a typical language and construction for comprehending and evaluating the ways, strategies, and procedures (TTPs) utilized by attackers to breach the safety of software program provide chains.
The objective is to supply the safety neighborhood with a unified useful resource to guage their very own approaches for securing software program provide chains upfront and evaluate options, in response to the framework’s founding members.
“In a single episode of Star Trek, whereas engaged on vulnerabilities of the Enterprise in relation to the menace actor, Mr. Spock stated, ‘Inadequate details all the time invite hazard, Captain!’ The identical actually holds true in cybersecurity, the place a lack of know-how will increase vulnerability. By growing the neighborhood’s data, OSC&R holds large potential to mitigate risks to the software program provide chain and scale back the assault floor extra broadly,” stated Dineshwar Sahni, director of product safety at VISA who additionally simply joined the consortium of cybersecurity leaders behind OSC&R.
OSC&R can be utilized by safety groups to guage present defenses, outline which threats have to be prioritized, and the way present protection addresses these threats, in addition to to assist monitor the behaviors of attacker teams.
The venture was added to GitHub earlier this week and was additionally not too long ago endorsed by former U.S. Nationwide Safety Company Director Admiral Mike Rogers.