All about OSC&R, a Software Supply Chain Security Framework

With software supply chain attacks posing such a significant threat to organizations, having a comprehensive understanding of these attacks is crucial for developing effective security strategies.

Enter Open Software Supply Chain Attack Reference (OSC&R), an open source framework, introduced in February, that provides actionable insights into attacker behaviors and techniques used to compromise the software supply chain.

“In one episode of ‘Star Trek,’ while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr. Spock said, ‘Insufficient facts always invite danger, Captain!’” said Dineshwar Sahni, a member of the consortium behind OSC&R, in a statement issued, when the project moved to GitHub in March.

“The same certainly holds true in cybersecurity, where a lack of information increases vulnerability,” added Sahni, director of product security at Visa. “By increasing the community’s knowledge, OSC&R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly.”

In this article, we will explore the OSC&R initiative and delve into how a pipeline bill of materials (PBOM) expands on the concept of a software bill of materials (SBOM) and offers enhanced security capabilities.

What’s OSC&R?

OSC&R is a MITRE ATT&CK-like framework designed to provide a common language and structure for understanding and analyzing the tactics, techniques and procedures (TTPs) used by adversaries to compromise the security of software supply chains.

It aims to give the security community a single point of reference to proactively assess their own strategies for securing their software supply chains and to compare solutions.

By leveraging OSC&R, organizations can gain a standardized language and framework to assess their security strategies, identify potential vulnerabilities and compare solutions effectively.

The OSC&R project was spearheaded by OX Security, a supply-chain security company based in Israel. The initiative is now steered by a consortium of tech leaders, including Sahni.

The project was open sourced due to popular demand.

“After we launched OSC&R we were overwhelmed with emails from people working on elements within OSC&R and wanting to contribute,” said Neatsun Ziv, OX Security CEO and co-founder, in a statement released by his company.

“By moving to GitHub and opening the project to contributions we hope to capture this collective knowledge and experience for the benefit of the entire security community.”

How OSC&R Works

Techniques in OSC&R represent the methods or actions used by adversaries to achieve specific objectives within the software supply chain. These techniques can describe how an adversary performs an action or what they gain from it.

For example, a technique in OSC&R could be, “creating a backdoor in third-party software used within the organization’s supply chain.” This technique highlights the action performed by the adversary. Additionally, techniques can also represent what type of information the adversary is targeting, which is particularly relevant for OSC&R’s Discovery tactic.

OSC&R provides further granularity by introducing sub-techniques. These break down the behaviors described by techniques into more specific descriptions of how the behavior is used to achieve an objective.

For instance, in the case of adding a backdoor to third-party code, a sub-technique could involve the adversary becoming a maintainer of the third-party library or disguising the backdoor within a seemingly legitimate pull request.

The use of multiple techniques within each tactic category acknowledges that there can be multiple ways to achieve tactical objectives. Similarly, multiple distinct sub-techniques can exist under a technique to account for different approaches or variations in executing the technique.

Key Features and Benefits of OSC&R

OSC&R covers a broad spectrum of attack vectors, including but not limited to:

• Vulnerabilities in third-party libraries. OSC&R provides insights into identifying and managing vulnerabilities in commonly used third-party libraries, which are often targeted by attackers.
• Supply chain attacks on build and deployment systems. The framework helps organizations understand and mitigate risks associated with compromised build and deployment systems, ensuring the integrity of the software supply chain.
• Compromised or malicious software updates. It detects and prevents attacks stemming from software updates, safeguarding their software supply chain.
• Actionable threat insights. OSC&R provides valuable and objective insights into the target of an attack and its current phase. It categorizes attacks based on their severity, impact and likelihood of occurrence. This information simplifies security communication across organizations, enables complete coverage visibility and empowers security teams to prioritize their response efforts effectively.
• Evaluation and prioritization. The framework allows security teams to evaluate the effectiveness of existing protection measures and controls. It helps pinpoint potential impacts on the organization, prioritize remediation efforts and ensure security strategies align with the identified threat landscape. By understanding the TTPs employed by attackers, organizations can take actions that provide the highest level of risk mitigation.
• Facilitating incident response and forensics. In the event of a security incident or breach, the pipeline bill of materials, or PBOM, serves as a valuable resource for incident response and forensic investigations. By having a comprehensive view of the software pipeline and its associated components, organizations can quickly identify the source of an attack, trace its impact and take appropriate remedial actions.
• Enabling continuous improvement. The PBOM promotes a culture of continuous improvement. By regularly analyzing and updating the pipeline bill of materials, PBOM offers a new standard for software supply chain security – providing developers with greater visibility over the software supply chain attack surface.

PBOM technology continuously monitors the changes that impact security from source code to pipeline — artifacts, container images, runtime assets, and so on. Organizations can identify areas for improvement, implement new security measures and stay ahead of emerging threats.

What’s a PBOM?

A PBOM takes a holistic approach by considering the entire software pipeline, from design to production. It goes beyond the list of ingredients provided by an SBOM and evaluates the stages where attacks might occur.

This comprehensive perspective helps organizations identify potential vulnerabilities and proactively prevent attacks throughout the software development process.

While the SBOM has been a significant step in understanding the composition of software artifacts, it has limitations when it comes to identifying vulnerabilities and mitigating attacks across the entire software pipeline. This is where the PBOM comes into play, expanding on the concept of the SBOM and providing enhanced security capabilities.

A PBOM reveals the entire software pipeline, from design to production. It goes beyond the list of ingredients provided by SBOM and evaluates the stages where attacks might occur.

Advantages of PBOM over SBOM

• Enhanced attack mitigation. The PBOM provides a broader view of potential attack vectors by considering the full software pipeline. It allows organizations to identify weaknesses in each stage, such as design, development, testing and deployment. By implementing robust security measures at each stage, organizations can mitigate attacks more effectively.
• Proactive risk management. By analyzing the entire pipeline through a PBOM, security teams can identify potential vulnerabilities early in the development process and implement appropriate security controls. This proactive approach minimizes the risk of vulnerabilities being introduced into the software supply chain.
• Integration with security processes. A PBOM can seamlessly integrate with existing security processes, such as threat modeling, vulnerability management and incident response. By incorporating a PBOM into these processes, organizations can enhance their ability to detect and respond to supply chain attacks, ensuring a robust security posture.

PBOM Use Cases

• Identifying third-party library vulnerabilities. A PBOM can help organizations identify vulnerabilities in third-party libraries used in their software supply chain. By examining the entire pipeline, organizations can evaluate the security practices of library providers and make informed decisions about which libraries to use.
• Detecting compromised build and deployment systems. A pipeline bill of materials allows organizations to detect and prevent attacks targeting build and deployment systems. By analyzing the entire pipeline, organizations can identify anomalies, unauthorized access attempts, or suspicious behavior that may indicate a compromise.
• Ensuring secure software updates. PBOM provides visibility into the software update process, allowing organizations to verify the integrity of updates and identify potential risks. By validating each step in the update pipeline, organizations can prevent the distribution of compromised or malicious updates.

How to Make Friends with OSC&R

Interested in contributing to the OSC&R framework on Github? You can also join the OSC&R Slack channel.