SalesTech Star

Cybersecurity Leaders Launch First Attack Matrix for Software Supply Chain Security

Current and former cybersecurity leaders from Microsoft, Google, GitLab, Check Point, OWASP, Fortinet and others have already joined the open framework initiative, which is being led by OX Security.

OX Security, the first end-to-end software supply chain security solution, announced the launch of OSC&R (Open Software Supply Chain Attack Reference), the first and only open framework for understanding and evaluating existing threats to entire software supply chain security.

The founding consortium of cybersecurity leaders behind OSC&R include: David Cross, former Microsoft and Google cloud security executive; Neatsun Ziv, Co-Founder and CEO of OX Security; Lior Arzi, Co-Founder and CPO at OX Security; Hiroki Suezawa, Senior Security Engineer at GitLab; Eyal Paz, Head of Research at OX Security; Phil Quade, former CISO at Fortinet; Dr. Chenxi Wang, former OWASP Global Board member; Shai Sivan, CISO at Kaltura; Naor Penso, Head of Product Security at FICO; and Roy Feintuch, former Cloud CTO at Check Point Technologies.

Read More: SalesTechStar Interview with Steve Terp, Chief Revenue Officer at Appspace

Discussions with hundreds of industry leaders revealed that there was a very concrete need for a MITRE-like framework that would allow experts to better understand and measure supply chain risk, a process that until now could only be based on intuition and experience. OSC&R is designed to provide a common language and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

“Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive,” said Neatsun Ziv, who served as Check Point’s VP of Cyber Security before founding OX. “Without an agreed-upon definition of the software supply chain, security strategies are often siloed.”

OSC&R is now ready to be used by security teams to evaluate existing defenses and define which threats need to be prioritized, how existing coverage addresses those threats, as well as to help track behaviors of attacker groups.

Read More: Applying AI and NLP to Support Experience Management Enables Companies to Reduce Escalations and Accelerate Time to Resolution While Improving the Support Experience for Both Agents and Customers

“OSC&R helps security teams build their security strategy with confidence,” said Hiroki Suezawa, Senior Security Engineer at Gitlab. “We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions,” he continued.

The OSC&R framework will update as new tactics and techniques emerge and evolve. It will also assist red-teaming activities by helping set the scope required for a pentest or a red team exercise, serving as a scorecard both during and after the test. The framework will also now be open for other cybersecurity leaders and practitioners to contribute to OSC&R.

“I believe the OSC&R framework will help organizations reduce their attack surface,” said Naor Penso, Head of Product Security at FICO. “I am proud to take part in a project that can have such a major impact on the future security landscape, and to share our knowledge and expertise.”

Write in to to learn more about our exclusive editorial packages and programs.