The decision to host the new Open Software Supply Chain Attack Reference (OSC&R) framework on the GitHub platform should improve its effectiveness in protecting organizations from attackers, experts said in response to the move.
Since Ox Security launched OSC&R in March, comments have poured in from people working on elements within the MITRE ATT&CK-like framework who want to contribute, Ox's CEO and co-founder Neatsun Ziv said in a press release statement.
And moving to GitHub and opening the project to contributions will hopefully "capture this collective knowledge and experience for the benefit of the entire security community," said ReversingLabs Field CISO Matt Rose.
With the move to host OSC&R on GitHub, people would be better managing and driving the project, "but they're not omnipotent," he said. "They don't know everything. Getting information from other experts in the industry is a huge benefit."
"Software supply chain security is ill-defined right now so the crowdsourced community approach to help with the project is beneficial to everybody."
Here's what the move means in the short run — and in the long run. Will it help advance the evolution of application security into software software supply chain security? Experts weigh in.
The GitHub move sends the right message
By hosting the project where a broad community can offer contributions, development of the framework can progress much further and faster than it would using the traditional working group approach, said Jeff Williams, co-founder and CTO of Contrast Security. "I think it will make it easier to attract contributors and build out the model quickly. There are a lot of unfinished pieces to the model right now."
"Github isn’t just for code. It’s just a great way to collaborate, particularly on a crowdsourced project."
About three years ago, OWASP moved from the Wikipedia-style platform it used for the last15 years to Github, Williams said. "This allows them greater flexibility and control over the hundreds of projects that are part of the OWASP Foundation."
By hosting OSC&R on Github, Ox Security is sending a positive message to the security community, said James McQuiggan, a security awareness advocate at KnowBe4.
"It shows that OSC&R is transparent and open to gaining comments and input from the collection of researchers, developers, and IT and security experts that the platform hosts. Collaborating with the community, you're getting their support. And their knowledge and experience can help the growth of the framework."
What's more, being on the platform demonstrates that they consider GitHub a trusted environment and a secure location for their needs.
It's also an invitation for engagement
OSC&R is designed to address issues related to software supply chain security that aren't addressed in other frameworks, like MITRE ATT&CK. But because it's so new, it's not established yet in the security industry, said Davis McCarthy, a principal security researcher at Valtix.
"Deploying it on GitHub is a call for security professionals to engage with the framework and begin developing tools that leverage its contents."
OSC&R sets a benchmark for security teams to help them comprehend, prepare, detect, and protect their assets during supply chain attacks, said Debrup Ghosh, senior product manager at the Synopsys Software Integrity Group.
"It benefits the entire cybersecurity community, as the framework can be leveraged to build threat models on supply chain attacks, and will be invaluable while doing red-team exercises as well."
However, while posting OSC&R to Github allows researchers, developers, and IT and security experts to access it, it also opens up the possibility of threat actors peeking at it, McQuiggan noted:
"By exposing the framework to the public, it could be stolen and stood up on another site containing malware to target the victim on the site, thinking they are visiting the actual framework."
Making the framework public is the right path
While there are risks to exposing the framework publicly on GitHub, that kind of thinking clings to the antiquated idea of "security through obscurity" that has long been disproven, said Chris Hughes, co-founder and CISO at Aquia.
"The harsh reality is that malicious actors already know the techniques captured in the framework, and are actively using them to exploit targets and the software supply chain. Making the framework public helps empower defenders to better understand these techniques of malicious actors and to improve their controls and security measures to try and mitigate their risk — and the risk of those they interact with — through software in the broader ecosystem."
You need to let people know about the approaches for securing things, Rose added, "but you're also potentially educating nefarious dudes at the same time."
"It falls on the owners of the project to make sure its approaches are effective. In the end, the benefits outweigh the risks."
A step in the right direction but no panacea
Although OSC&R is a good start toward identifying risks within the software supply chain, Synopsys Principal Security Strategist Tim Mackey warned that the framework represents a single vendor's perspective on supply chain security.
"The observations it outlines are valid, but OSC&R is far too early in its lifecycle to represent an authoritative set of activities all organizations should perform."
Mackey recommends that security teams look at its tasks through the lens of a threat model.
"If, as a software producer, you aren’t performing routine threat assessments on your software delivery practices, then you should start there."
Rose recently wrote a blog post noting that a modern software supply chain security platform needs to protect both infrastructure and applications — and shift the emphasis from vulnerabilities to malware. Binary analysis allows deeper visibility for teams to ensure their software is secure by focusing on how code behaves, regardless of where it came from, he wrote.
The bigger shift — from application security to comprehensive software supply chain security — is already under way, Rose said. And it's just a matter of recognizing that.
Software supply chain security needs to be recognized for what it has become: A separate discipline within the application security ecosystem.
- See Webinar: Secure by Design: Why Trust Matters for Risk Management
- Supply Chain Risk Report: Learn why you need to upgrade your AppSec
- See special report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Special report: C-SCRM and federal supply chain security guidance
- Dev & DevSecOps