OSC&R supply chain security framework goes live on Github

Brian Jackson – stock.adobe.com

The OSC&R framework for understanding and evaluating threats to supply chain security has made its debut on Github to allow anybody to contribute to the framework

Alex Scroxton

By

Published: 30 Mar 2023 17:45

The backers of the Open Software Supply Chain Attack Reference (OSC&R) framework for supply chain security has gone live on Github, enabling anybody to contribute to the model.

The MITRE ATT&CK-like framework was launched in February with the stated goal of helping security teams improve their understanding of software supply chain threats, evaluate them and get to grips with them.

Led by Ox Security, an Israel-based supply chain specialist, the project’s backers include David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, co-founder and CEO of Ox Security; Lior Arzi, co-founder and CPO at Ox Security; Hiroki Suezawa, senior security engineer at GitLab; Eyal Paz, head of research at Ox Security; Chenxi Wang, former OWASP global board member; Shai Sivan, CISO at Kaltura; Naor Penso, head of product security at FICO; and Roy Feintuch, former cloud CTO at Check Point.

“After we launched OSC&R we were overwhelmed with emails from people working on elements within OSC&R and wanting to contribute,” said Neatsun Ziv, who served as Check Point’s vice-president of cyber security prior to founding Ox.

By moving to Github and opening the project to contributions we hope to capture this collective knowledge and experience for the benefit of the entire security community.”

At the same time, Visa product security Dineshwar Sahni has also joined the consortium, while former NSA director Mike Rogers, who ran the US intelligence agency from 2014 to 2018, has thrown his backing behind the project.

“Cyber security is a game of cat and mouse,” said Rogers. “Gaining the upper hand requires building a good threat model and OSC&R enables organisations to identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritise remediation methods.”

Sahni added: “In one episode of Star Trek, while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr Spock said, ‘Insufficient facts always invite danger, Captain!’. The same certainly holds true in cyber security, where a lack of information increases vulnerability. By increasing the community’s knowledge, OSC&R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly.”

The framework’s backers believe their project will prove immensely valuable to companies looking to build out their software supply chain security programmes. Among other things, it can help evaluate existing defences, define threat prioritisation criteria, and track the behaviours of attacker groups.

The need for organisations to prioritise the resilience of their software supply chains has been hammered home repeatedly over the past few years, with arguably the most impactful incident being the SolarWinds incident of 2020/1, which began when Russian threat actors compromised the firm’s Orion network management platform and injected backdoor malware which then shipped to customers as a ‘tainted’ update.

History is repeating itself even today, as proved by a still-developing incident at unified comms firm 3CX, which began when a product update was shipped with a security issue that is being exploited by a threat actor with links to the North Korean regime.

Read more on IT risk management

Read More
Tomi Fetzer

Latest

Berita celebrates milestone as ‘Namhlanje’ turns two months old

Music Celebrities Published on May 20, 2026 Berita is celebrating her...

What is a DAC? How to get better Lossless Audio on iPhone and Mac

Music Image: FoundryOliver Schusser, Apple’s Vice President in charge...

Nick Jonas Reveals Whether Daughter Malti Will Follow in His Musical Footsteps

Music About UsSubscribeContact UsFAQCareersClosed CaptioningWatch Full EpisodesSitemapE! International TV...

Newsletter

Don't miss

Berita celebrates milestone as ‘Namhlanje’ turns two months old

Music Celebrities Published on May 20, 2026 Berita is celebrating her...

What is a DAC? How to get better Lossless Audio on iPhone and Mac

Music Image: FoundryOliver Schusser, Apple’s Vice President in charge...

Nick Jonas Reveals Whether Daughter Malti Will Follow in His Musical Footsteps

Music About UsSubscribeContact UsFAQCareersClosed CaptioningWatch Full EpisodesSitemapE! International TV...

Global musicians go east as China becomes a major touring destination

MusicChina Entertainment News: Global musicians go east as...

Business seminar in Munich highlights Hong Kong’s strategic roles amidst global shifts (with photos)

Business seminar in Munich highlights Hong Kong's strategic roles amidst global shifts (with photos) ******************************************************************************************      The Hong Kong Economic and Trade Office, Berlin (HKETO Berlin), promoted Hong Kong's unique advantages and strategic roles at the seminar "Hong Kong's strategic role amidst geopolitical tensions" on June 18 (Munich time) in Munich, Germany.             Senior executives, investors

AI for business services: From job fears to productivity

AI for business services: From job fears to productivity

Business Insurance-AZ Achieves Record Response Times for 2026 Arizona Construction Bids

Business Insurance-AZ achieves milestone response speeds for commercial construction bids across Arizona, accelerating documentation delivery to keep local projects moving forward without delay. Phoenix, AZ, June 06-2026, ZEX PR WIRE — Business Insurance-AZ has achieved record-breaking processing speeds and response times for commercial construction bids throughout Arizona, directly supporting the state’s massive infrastructure and advanced manufacturing boom