A New Open Framework for
Releasing Secure Products
Open Software Supply Chain
Attack Reference (OSC&R)
Frequently Asked Questions
What is the
Software Supply Chain?
The software supply chain is anything and everything that touches an application or plays a role, in any way, in its development throughout the development life cycle. Software supply chain attacks can target products at any stage of the development lifecycle.
What is OSC&R
Software supply chain attacks are on the rise across in all industries. In order to develop a security strategy, we first need a common understanding of the underlying threats. OSC&R is an open framework that provides a comprehensive, systematic and actionable way to understand attacker behaviors and techniques.
Like MITRE ATT&CK, OSC&R is organized into a clear and structured view of the tactics, techniques, and procedures (TTPs) used by adversaries. However, OSC&R is the first and only matrix that focuses specifically on the software supply chain attacks. It covers a wide range of attack vectors, including vulnerabilities in third-party libraries and components, supply chain attacks on build and deployment systems, and compromised or malicious software updates.
SLSA vs OSC&R
Supply-chain levels for software artifacts (SLSA) is a framework for classifying different types of software artifacts in a supply chain based on their level of integrity. Integrity in the context of SLSA refers to the assurance that the software artifact has not been tampered with or modified in an unauthorized manner, and that it is in its original and intended state.
OSC&R is a framework that provides a comprehensive, systematic and actionable way to understand attacker behaviors and techniques used to compromise the software supply chain. OSC&R provides valuable and objective insights into the target of an attack and its current phase.
This perspective tells a complete story that helps simplify security communication across their organization, provides complete coverage visibility and allows your team to pinpoint the potential impacts to your organization, evaluate the effectiveness of your existing protection and controls, and prioritize your response.
SBOM vs PBOM
A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them.
A pipeline bill of materials (PBOM) goes beyond that list of ingredients and tells you whether other products made using the same machinery or produced in the same factory contain nuts. It does not just look at the software, it looks at the full pipeline from design to production. PBOMs do a better job of helping people avoid using harmful software because it looks at all the stages where an attack might happen.
What is PBOM.dev?
PBOM.dev is an open community committed to helping organizations secure their software supply chains.
The PBOM.dev community members are leveraging real-world observations and experiences to build a shared knowledge base that can be used to help security teams to take proactive action to prevent attacks, and keep their assets safe from cyber threats.
This knowledge base will always be publicly available and free of charge.
Authors
OX Security
OX Security
OX Security
GitLab
FICO
Kaltura
Cybersecurity and Privacy
Grant Thornton