RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research
Mario Vuksan

Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 

SSCS is a footnote that grew up, moved out, and got its own report. 

Read More about Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 
Software Supply Chain Security Just Got Its Own Magic Quadrant — and RL Is In It 

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

AppSec & Supply Chain SecurityFebruary 21, 2023

OSC&R targets software supply chain attacks

Modeled after MITRE ATT&CK, OSC&R aims to improve software supply chain security. Experts share its hits — and misses.

John P. Mello Jr.
John P. Mello Jr., Freelance technology writer.John P. Mello Jr.
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
dart board

With the ever-increasing awareness of threats to software supply chains, a burning question arising in many organizations is, "Are we protected?" To help answer that question, a new software supply chain security framework crafted along the lines of MITRE ATT&CK has been released.

The Open Software Supply Chain Attack Reference (OSC&R), which was forged by a group led by OX Security with cybersecurity pros from a number of companies, including Google, GitLab, FICO, Check Point, and Fortinet, is a first-of-its-kind framework for understanding techniques, tactics, and procedures (TTPs) used by attackers to compromise supply chains.

The OSC&R framework is a matrix with the stages of an attack as column headers — reconnaissance, resource development, initial access, execution, persistence, privilege escalation, defense evasion, credential access, lateral movement, collection, exfiltration, and impact — and supply chain areas as row labels — container security, open source security, SCM posture, secrets hygiene, code security, cloud security, CI/CD posture, artifact security, and infrastructure as code.

OX Security said OSC&R can be used by security teams to evaluate existing defenses, define which threats need to be prioritized, and how existing coverage addresses those threats, as well as to help track the behaviors of attacker groups.

Here's what you need to know about OSC&R, along with expert insights on the new framework's potential to improve software supply chain security.

Key takeaways: Supply chain security risks addressed in new Gartner reportGet the Gartner report: Mitigate Enterprise Software Supply Chain Security Risks

Follow the leader: MITRE ATT&CK is the role model

OSC&R clearly communicates the various aspects of software supply chain security organizations need to consider, such as SCM posture, open source, cloud and code security, while listing the various TTPs for each malicious activity across those areas, said Chris Hughes, co-founder and CISO of Aquia.

OSC&R brings a very familiar layout to security professionals, aligning itself with approaches such as MITRE's ATT&CK framework.

Chris Hughes

Matt Rose, Field CISO at ReversingLabs, said OSC&R goes further than MITRE ATT&CK does, with more prescription and granularity.

If you're a cloud security professional or concerned with secrets hygiene or infrastructure as code, OSC&R tells you the things you need to do to secure your supply chain.

Matt Rose

To better prepare from a security posture and prevention strategy, teams need to know how and where a supply chain attack can happen, noted Jay Paz, senior director for penetration tester advocacy and research at Cobalt Labs.

The entire framework provides a holistic idea on the attacker mindset. A software builder can take preventive action based on the components being used.

Jay Paz

Paz noted that OSC&R is going to be helpful for red teaming exercises, because it provides a clear approach on how this type of attack happens. "However, the framework will need to evolve as new attack vectors are released."

Tim Mackey, a principal security strategist at the Synopsys Cybersecurity Research Center, asserted that it’s important to look at OSC&R through the lens of a development team creating an application.

OSC&R seeks to consolidate what has been known from other attack models like MITRE ATT&CK and map those techniques into actions or targets that development teams might recognize.

Tim Mackey

Very few people really understand just how unprotected our software supply chains are, said Jeff Williams, co-founder and CTO of Contrast Security.

But OSC&R is just the attack side of things. There is also an amazing amount of research that has to go into the defense side. We lack even basic tools to defend the software supply chain against all the ideas in OSC&R.

Jeff Williams

Williams said he does not see anything new with OSC&R, but said, "It’s nice to have a model to capture all the possible ways that a supply chain attack might be orchestrated from beginning to end."

OSC&R gets key concepts out in the open

Because OSC&R is aimed specifically at software supply chain security, it can fill some gaps unaddressed by other frameworks, said Davis McCarthy, a principal security researcher at Valtix.

It’s nuanced, but the processes and tools for detecting a backdoor on an endpoint are different than if the backdoor were implanted directly into the source code. TTPs like brandjacking did not previously map to a framework, so OSC&R is at least putting those concepts out in the open.

Davis McCarthy

Frank Downs, a senior director at enterprise cybersecurity company BlueVoyant and a member of the ISACA emerging trends working group, said that OSC&R offers a perspective on software supply chain security that many companies lack.

This framework acts as a complement to other frameworks which may be applied to the third-party relationships organizations have by showing companies that relationship through the eyes of an attacker, such as a cybercriminal or an APT.

Frank Downs

While OSC&R is thin in some areas, that is likely a deliberate decision by its authors, Rose noted.

You don't want to overload people with too many things to look at. One of the things it's trying to do is focus attention on limited resources and farming those resources out.

Matt Rose

However, OSC&R could benefit from some added detail within its TTPs. "Defining what to look for within each TTP and how to mitigate them will improve OSC&R," McCarthy said.

Software Supply Chain Security: An interesting journey ahead

Mackey noted some limitations in terms of operationalizing OSC&R, which shows an entry for malicious code contribution to an open-source code repository, but doesn’t yet provide guidance for how to detect malicious code and differentiate between a malicious code contribution relative to a legitimate one.

OSC&R is in its early stages of development and at present only provides a high-level view of a potential software supply chain threat.

Tim Mackey

Mackey pointed out that the cybersecurity industry has a large number of frameworks each with their own set of controls, activities, and tasks to describe potential pitfalls that lead to exploitable weaknesses. For OSC&R to gain traction, it will need to identify potential alignment with major frameworks and their associated controls, he said. "Many of these frameworks have a standards or regulatory component to them."

Williams added that OSC&R is a good start, but there are quite a few attack vectors missing, such as malicious test cases, deliberate vulnerability placement for plausible deniability, trojan-infected development tools and plug-ins, insider attacks, developer laptops, attacking test servers, and targeting binary repos.

But Williams said the team behind OSC&R can build out over time as they consider the full range of things that can affect the integrity of code in the supply chain.

I suppose even ChatGPT has to be considered now that developers are using it to write code for them. It’s going to be an interesting journey.

Jeff Williams

Keep learning

  • Learn how Gartner® named RL a supply chain security 'visionary.' Download: Gartner® Magic Quadrant™ for Software Supply Chain Security.
  • Get key insights into why Gartner® identified binary analysis as a must-have control in its recent CISO Playbook for Commercial Software Supply Chain Security.
  • Get up to speed on the Agentic Development Security tools landscape in this webinar with Forrester Sr. Analyst Janet Worthington.
  • Take a deep dive on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar discussing the findings.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Plus: Join the free Spectra Assure Community today to get hands-on with RL's binary analysis-based software supply chain security platform.

Tags:AppSec & Supply Chain Security

More Blog Posts

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / Twitter
LinkedInLinkedIn
FacebookFacebook
InstagramInstagram
YouTubeYouTube
blueskyBluesky
RSSRSS
Back to Top
The inaugural Gartner® Magic Quadrant™ for Software Supply Chain Security is outGET THE REPORT
Skip to main content
Contact UsSupportBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsBlack Hat 2026
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Menu
5 takeaways

2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways

The Magic Quadrant™ for Software Supply Chain Security is a 45-minute read. Here's what we feel security leaders need to pull from it.

Learn More about 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
2026 Gartner® Magic Quadrant™ for Software Supply Chain Security: 5 takeaways
OSS security

Should frontier AI firms fund OSS ecosystem security?

With a ‘vulnpocalypse’ expected, AppSec leaders are calling for the companies to invest in a Great Refactor Fund to secure open source.

Learn More about Should frontier AI firms fund OSS ecosystem security?
Should frontier AI firms fund OSS ecosystem security?
Agentic AI architecture

Agentic AI risk isn't a model problem. It's an architecture problem.

Agentic AI is moving the perimeter from components to data — and most strategies aren't built for that.

Learn More about Agentic AI risk isn't a model problem. It's an architecture problem.
Agentic AI risk isn't a model problem. It's an architecture problem.

The race to secure AI coding: 4 steps to rein agents in

Coding agents are privileged insiders — with keys to CI/CD pipelines even as they give rise to ‘slopsquatting.’ Here’s how to govern them.

Learn More about The race to secure AI coding: 4 steps to rein agents in
The race to secure AI coding: 4 steps to rein agents in
Request a demo
AI coding agents