In collaboration with companies including Google, Microsoft, and GitLab, OX Security has released a security framework for assessing and evaluating software supply chain security risks. The Open Software Supply Chain Attack Reference (OSC&R) is a MITRE-like framework covering containers, open-source software, secrets hygiene, and CI/CD posture.
OSC&R is designed to provide a common language and structure for understanding and analyzing the tactics, techniques, and procedures (TTPs) used by attackers in supply chain attacks. Hiroki Suezawa, senior security engineer at GitLab, shares that:
We wanted to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.
The framework is divided into nine areas of importance defining the pipeline bill of materials (PBOM). A PBOM is similar to a software bill of materials (SBOM) but covers the pipeline and processes used to build software artifacts instead of directly assessing the artifacts themselves. On top of the areas mentioned previously, this includes reviewing source control methods, cloud security, code security, and infrastructure-as-code processes.
These areas of importance are then assessed, in a matrix format, across 12 TTPs. These TTPs include reconnaissance, initial access, persistence, privilege escalation, and credential access. For example, at the intersection of Open Source Security and Initial Access are TTPs including repojacking, typosquatting, malicious IDE extension, and vulnerable CI/CD templates. At the time of writing, only the identification of these TTPs is available on the site; a more detailed definition and description are not currently present.
As Neatsun Ziv, CEO at OX Security explains,
Trying to talk about supply chain security without a common understanding of what constitutes the software supply chain isn’t productive. Without an agreed-upon definition of the software supply chain, security strategies are often siloed.
Software Supply Chain Security has been growing as an area of concern as attacks in this area continue to increase. A report from Aqua Security found that supply chain attacks grew 300% from 2020 to 2021. Gartner predicts that 45% of organizations globally will have suffered a supply chain attack by 2025. This would be a threefold increase in the number of attacks from 2021.
Recent attacks include malicious packages on the PyPi registry, which as reported by Sergio De Simone for InfoQ "can install the Meterpreter trojan disguised as pip, delete the netstat system utility, and tamper with SSH authorized_keys file."
These increases in attacks have been met with an increase in investment in supply chain security. Along with the new OSC&R framework, Chainguard has recently released the OpenVEX specification. The Vulnerability Exploitability eXchange (VEX) is designed to help assess and manage vulnerabilities in software. As noted by Dan Lorenc, CEO at Chainguard, "OpenVEX is complementary to SBOMs, allowing suppliers to communicate precise metadata about the vulnerability status of products directly to consumers and end users." Other recent improvements in this area include improvements from Docker, Google, and AWS.
Reaction to the release was mixed with Nermin S., lead solution strategist at Immersive Labs, wondering "BUT, [does] this industry really need more frameworks? They all add some particular value…but the amount [creates] some [friction] already."
The authors of the OSC&R framework indicate it will continue to be updated as attacker tactics and techniques emerge and evolve.