{"id":623922,"date":"2023-03-31T09:49:35","date_gmt":"2023-03-31T14:49:35","guid":{"rendered":"https:\/\/news.sellorbuyhomefast.com\/index.php\/2023\/03\/31\/oscr-supply-chain-security-framework-goes-live-on-github\/"},"modified":"2023-03-31T09:49:35","modified_gmt":"2023-03-31T14:49:35","slug":"oscr-supply-chain-security-framework-goes-live-on-github","status":"publish","type":"post","link":"https:\/\/newsycanuse.com\/index.php\/2023\/03\/31\/oscr-supply-chain-security-framework-goes-live-on-github\/","title":{"rendered":"OSC&#038;R supply chain security framework goes live on Github"},"content":{"rendered":"<div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.computerweekly.com\/visuals\/ComputerWeekly\/Hero Images\/dice-risk-gamble-adobe_searchsitetablet_520X173.jpg\" data-credit=\"Brian Jackson - stock.adobe.com\"  width=\"520\" height=\"173\" alt><\/p>\n<p>Brian Jackson &#8211; stock.adobe.com<\/p>\n<\/p><\/div>\n<div id=\"content-header\">\n<h2>The OSC&#038;R framework for understanding and evaluating threats to supply chain security has made its debut on Github to allow anybody to contribute to the framework<\/h2>\n<\/div>\n<div id=\"content-center\">\n<ul>\n<li><i data-icon=\"1\"><\/i><\/li>\n<li><i data-icon=\"2\"><\/i><\/li>\n<\/ul>\n<div id=\"contributors-block\">\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"Alex Scroxton\">\n\t\t\t\t\t<\/p>\n<p><span>By<\/span><\/p>\n<ul>\n<li>\n\t\t\t\t\t<a href=\"https:\/\/www.techtarget.com\/contributor\/Alex-Scroxton\">Alex Scroxton,<\/a><br \/>\n\t\t\t\t\t\t<span>Security Editor<\/span>\n\t\t\t\t\t\t<\/li>\n<\/ul>\n<p>\n\tPublished: <span>30 Mar 2023 17:45<\/span>\n<\/p>\n<\/div>\n<section id=\"content-body\">\n<p>The backers of the <a href=\"https:\/\/pbom.dev\/\">Open Software Supply Chain Attack Reference<\/a> (OSC&#038;R) framework for supply chain security has gone live on Github, enabling anybody to contribute to the model.<\/p>\n<p>The MITRE ATT&#038;CK-like framework was launched in February with the stated goal of helping security teams improve their understanding of software supply chain threats, evaluate them and get to grips with them.<\/p>\n<p>Led by <a href=\"https:\/\/www.ox.security\/\">Ox Security<\/a>, an Israel-based supply chain specialist, the project\u2019s backers include David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, co-founder and CEO of Ox Security; Lior Arzi, co-founder and CPO at Ox Security; Hiroki Suezawa, senior security engineer at GitLab; Eyal Paz, head of research at Ox Security; Chenxi Wang, former OWASP global board member; Shai Sivan, CISO at Kaltura; Naor Penso, head of product security at FICO; and Roy Feintuch, former cloud CTO at Check Point.<\/p>\n<p>\u201cAfter we launched OSC&#038;R we were overwhelmed with emails from people working on elements within OSC&#038;R and wanting to contribute,\u201d said Neatsun Ziv, who served as Check Point\u2019s vice-president of cyber security prior to founding Ox.<\/p>\n<p>\u201c<a href=\"https:\/\/github.com\/pbom-dev\/OSCAR\">By moving to Github<\/a> and opening the project to contributions we hope to capture this collective knowledge and experience for the benefit of the entire security community.\u201d<\/p>\n<p>At the same time, Visa product security Dineshwar Sahni has also joined the consortium, while <a href=\"https:\/\/en.wikipedia.org\/wiki\/Michael_S._Rogers\">former NSA director Mike Rogers<\/a>, who ran the US intelligence agency from 2014 to 2018, has thrown his backing behind the project.<\/p>\n<p>\u201cCyber security is a game of cat and mouse,\u201d said Rogers. \u201cGaining the upper hand requires building a good threat model and OSC&#038;R enables organisations to identify security requirements, pinpoint security threats and potential vulnerabilities, quantify threat and vulnerability criticality, and prioritise remediation methods.\u201d<\/p>\n<p>Sahni added: \u201cIn one episode of Star Trek, while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr Spock said, \u2018Insufficient facts always invite danger, Captain!\u2019. The same certainly holds true in cyber security, where a lack of information increases vulnerability. By increasing the community\u2019s knowledge, OSC&#038;R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly.\u201d<\/p>\n<p>The framework\u2019s backers believe their project will prove immensely valuable to companies looking to build out their software supply chain security programmes. Among other things, it can help evaluate existing defences, define threat prioritisation criteria, and track the behaviours of attacker groups.<\/p>\n<p>The need for organisations to prioritise the resilience of their software supply chains has been hammered home repeatedly over the past few years, with arguably the most impactful incident <a href=\"https:\/\/www.techtarget.com\/whatis\/feature\/SolarWinds-hack-explained-Everything-you-need-to-know\">being the SolarWinds incident of 2020\/1<\/a>, which began when Russian threat actors compromised the firm\u2019s Orion network management platform and injected backdoor malware which then shipped to customers as a \u2018tainted\u2019 update.<\/p>\n<p>History is repeating itself even today, as proved by <a href=\"https:\/\/www.computerweekly.com\/news\/365533987\/3CX-unified-comms-users-hit-by-supply-chain-attacks\">a still-developing incident at unified comms firm 3CX<\/a>, which began when a product update was shipped with a security issue that is being exploited by a threat actor with links to the North Korean regime.<\/p>\n<\/section>\n<section id=\"DigDeeperSplash\">\n<h4>\n\t\t\t<i data-icon=\"m\"><\/i>Read more on IT risk management<\/h4>\n<ul>\n<li><a id=\"DigDeeperItem-1\" href=\"https:\/\/www.computerweekly.com\/news\/365533987\/3CX-unified-comms-users-hit-by-supply-chain-attacks\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/weakest-link-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/weakest-link-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/German\/article\/weakest-link-adobe.jpg 1280w\" alt ><\/p>\n<h5>3CX unified comms users hit by supply chain attacks<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-2\" href=\"https:\/\/www.computerweekly.com\/news\/365531024\/OSCR-framework-to-stop-supply-chain-attacks-in-the-wild\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero Images\/software-code-developer-adobe_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/software-code-developer-adobe_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/ComputerWeekly\/Hero%20Images\/software-code-developer-adobe.jpeg 1280w\" alt ><\/p>\n<h5>OSC&#038;R framework to stop supply chain attacks in the wild<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/computerweekly\/Alex-Scroxton-CW-Contributor-2022.jpg\" alt=\"AlexScroxton\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alex\u00a0Scroxton<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-3\" href=\"https:\/\/www.techtarget.com\/searchnetworking\/tip\/How-to-use-Nmap-to-scan-a-network-for-documentation\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/container_g1202673226_searchsitetablet_520X173.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/container_g1202673226_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/container_g1202673226.jpg 1280w\" alt ><\/p>\n<h5>How to use Nmap to scan a network for documentation<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/garn_damon.jpg\" alt=\"DamonGarn\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Damon\u00a0Garn<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<li><a id=\"DigDeeperItem-4\" href=\"https:\/\/www.techtarget.com\/searchsecurity\/definition\/supply-chain-attack\"><br \/>\n\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/visuals\/digdeeper\/4.jpg\" srcset=\"https:\/\/cdn.ttgtmedia.com\/visuals\/digdeeper\/4_searchsitetablet_520X173.jpg 960w,https:\/\/cdn.ttgtmedia.com\/visuals\/digdeeper\/4.jpg 1280w\" alt ><\/p>\n<h5>supply chain attack<\/h5>\n<div>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.ttgtmedia.com\/rms\/onlineimages\/gillis_alex.jpg\" alt=\"AlexanderGillis\">\n\t\t\t\t\t\t\t\t\t<\/p>\n<p><span>By: <span>Alexander\u00a0Gillis<\/span><\/span>\n\t\t\t\t\t\t\t<\/p>\n<\/div>\n<p>\t\t\t\t<\/a><\/li>\n<\/ul>\n<\/section>\n<\/div>\n<p><a href=\"https:\/\/www.computerweekly.com\/news\/365534022\/OSCR-supply-chain-security-framework-goes-live-on-Github\" class=\"button purchase\" rel=\"nofollow noopener\" target=\"_blank\">Read More<\/a><br \/>\n Tomi Fetzer<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Brian Jackson &#8211; stock.adobe.com The OSC&amp;R framework for understanding and evaluating threats to supply chain security has made its debut on Github to allow anybody to contribute to the framework By Alex Scroxton, Security Editor Published: 30 Mar 2023 17:45 The backers of the Open Software Supply Chain Attack Reference (OSC&amp;R) framework for supply chain<\/p>\n","protected":false},"author":1,"featured_media":623923,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25237,4247,46],"tags":[],"class_list":{"0":"post-623922","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-chain","8":"category-supply","9":"category-technology"},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/623922","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/comments?post=623922"}],"version-history":[{"count":0,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/posts\/623922\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media\/623923"}],"wp:attachment":[{"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/media?parent=623922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/categories?post=623922"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newsycanuse.com\/index.php\/wp-json\/wp\/v2\/tags?post=623922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}