Today’s software supply chains are an amalgamation of different source codes, both proprietary and open source — more the latter than the former.  According to one estimate, in fact, 97% of applications comprise open-source code, and 90% of organizations say they are using it in some way.

But a broad supply chain consisting of many different parts blurs security visibility, which makes them increasingly enticing to cybercriminals.

To help organizations understand and evaluate threats to the entire software supply chain, a consortium of several cybersecurity professionals released the OSC&R (Open Software Supply Chain Attack Reference) in February — and today, the group announced that the framework is now available on GitHub.

“From the beginning, the vision was to have OSC&R be open source, because it's really the best way to have the broadest look across the software supply chain landscape,” said  Neatsun Ziv, CEO and co-founder of OX Security, which spearheaded OSC&R. “It also provides continuity and cohesiveness that many DevSecOps strategies are often lacking.”

Just between 2020 and 2021, software supply chain attacks grew by more than 300%, according to one estimate.

Gartner, for its part, reported that 89% of companies experienced a supplier risk event in the past five years. Also according to the firm, by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.

The compromise of the SolarWinds Orion platform in 2020 is undoubtedly one of the most notorious examples. Other successful recent attacks have targeted the Python Package Index (PyPI), the official repository for the Python language; GitHub OAuth tokens; Okta; and MailChimp.

Software supply chains are “so vulnerable because there are many places across them that can be exploited by malicious actors,” said Ziv. “Organizations need to understand where those vulnerabilities are and know how to prevent them from being exploited.”

OX Security first launched OSC&R in February along with current and former leaders of Microsoft, Google, GitLab, Fortinet, FICO, Kaltura and Check Point Technologies.

It’s modeled on the MITRE ATTACK framework, the curated knowledge base tracking cyber adversary tactics and techniques across the attack lifecycle. OSC&R provides a common language and structure for understanding and analyzing the tactics, techniques and procedures (TTPs) used by malicious actors.

The framework is designed to give the security community a single point of reference to assess strategies and compare tools, Ziv explained. Security teams can use the framework to evaluate existing defenses, prioritize threats and analyze how existing coverage addresses those threats.

As Ziv explained, in just the last two months, the consortium has received important feedback on the project from its members and others in the cybersecurity community.

“The fact that the community is so experienced, so broad and so diverse means that we'll be able to collect and provide really great insights into what issues are out there and how to best protect against a wide array of potential software supply chain attacks,” said Ziv.

OX Security competes in the growing DevSecOps space along with Snyk, Veracode, Aqua, GitLab, Checkmarx and Contrast Security (among others).

The emerging method is described by Gartner as “the integration of security into emerging agile IT and DevOps development as seamlessly and as transparently as possible,” and ideally without reducing developer agility or speed.

As software supply chain attacks continue, researchers anticipate the global DevSecOps market to grow from $2.59 billion in 2021 to $23.16 billion by 2029, representing a Compound Annual Growth Rate (CAGR) of more than 30%.

Gartner also reports that 44% of organizations are substantially increasing year-over-year spend on supply chain cybersecurity.

This growing attention and concern is evidenced in the popularity of OSC&R. Ziv explained that after OX Security launched the framework, they were overwhelmed with emails from people working on elements within it and wanting to contribute.

“By moving to GitHub and opening the project to contributions, we hope to capture this collective knowledge and experience for the benefit of the entire security community,” he said.

For his part, new consortium member Dineshwar Sahni, senior cybersecurity leader at Visa, used a Star Trek analogy to describe the cybersecurity landscape. Particularly, in one episode, while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr. Spock said, ‘Insufficient facts always invite danger, Captain!’

“The same certainly holds true in cybersecurity, where a lack of information increases vulnerability,” he said. “By increasing the community’s knowledge, OSC&R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly.”

Cybersecurity professionals can now contribute on Github and join the OSC&R Slack channel.