A New Open Framework for
Releasing Secure Products

Make security a part of product development, not an afterthought.

Open Software Supply Chain
Attack Reference (OSC&R)

A comprehensive, systematic and actionable way to understand attacker behaviors and techniques with respect to the software supply chain.
-

Frequently Asked Questions

What is the
Software Supply Chain?

The software supply chain is anything and everything that touches an application or plays a role, in any way, in its development throughout the development life cycle. Software supply chain attacks can target products at any stage of the development lifecycle.

What is OSC&R

Software supply chain attacks are on the rise across in all industries. In order to develop a security strategy, we first need a common understanding of the underlying threats. OSC&R is an open framework that provides a comprehensive, systematic and actionable way to understand attacker behaviors and techniques.

 

Like MITRE ATT&CK, OSC&R is organized into a clear and structured view of the tactics, techniques, and procedures (TTPs) used by adversaries. However, OSC&R is the first and only matrix that focuses specifically on the software supply chain attacks. It covers a wide range of attack vectors, including vulnerabilities in third-party libraries and components, supply chain attacks on build and deployment systems, and compromised or malicious software updates.

SLSA vs OSC&R

Supply-chain levels for software artifacts (SLSA) is a framework for classifying different types of software artifacts in a supply chain based on their level of integrity. Integrity in the context of SLSA refers to the assurance that the software artifact has not been tampered with or modified in an unauthorized manner, and that it is in its original and intended state.

 

OSC&R is a framework that provides a comprehensive, systematic and actionable way to understand attacker behaviors and techniques used to compromise the software supply chain. OSC&R provides valuable and objective insights into the target of an attack and its current phase.

 

This perspective tells a complete story that helps simplify security communication across their organization, provides complete coverage visibility and allows your team to pinpoint the potential impacts to your organization, evaluate the effectiveness of your existing protection and controls, and prioritize your response. 

SBOM vs PBOM

A software bill of materials (SBOM) declares the inventory of components used to build a software artifact such as a software application. It is analogous to a list of ingredients on food packaging: where you might consult a label to avoid foods that may cause allergies, SBOMs can help organizations or persons avoid consumption of software that could harm them.

 

A pipeline bill of materials (PBOM) goes beyond that list of ingredients and tells you whether other products made using the same machinery or produced in the same factory contain nuts. It does not just look at the software, it looks at the full pipeline from design to production.  PBOMs do a better job of helping people avoid using harmful software because it looks at all the stages where an attack might happen.

What is PBOM.dev?

PBOM.dev is an open community committed to helping organizations secure their software supply chains.

 

The PBOM.dev community members are leveraging real-world observations and experiences to build a shared knowledge base that can be used to help security teams to take proactive action to prevent attacks, and keep their assets safe from cyber threats.

 

This knowledge base will always be publicly available and free of charge.

Authors

Neatsun Ziv
Co-Founder & CEO
OX Security
Lior Arzi
Co-Founder & CPO
OX Security
Eyal Paz
Head of Research
OX Security
David Cross
former Microsoft and Google cloud security executive
Hiroki Suezawa
Senior Security Engineer
GitLab
Naor Penso
Head of Product Security
FICO
Shai Sivan
CISO
Kaltura
Dineshwar Sahni
Senior Cybersecurity leader
Maxim Kovalsky
Managing Director
Cybersecurity and Privacy
Grant Thornton
Dr. Chenxi Wang
former OWASP Global Board member
Roy Feintuch
former Cloud CTO at Check Point Technologies
Hadas Harel Lavie
Senior Security Architect at eToro
Ronen Atias
Security Architect at OX Security
Gadi Evron
former Innovation Domain Lead, AppSec at Citibank

Join the community

Join our slack channel
 https://pbom.dev/wp-content/uploads/2023/01/slack.svg
Github repository
 https://pbom.dev/wp-content/uploads/2023/01/github.svg