The OSC&R (Open Software Supply Chain Attack Reference) is an open source framework used for understanding and evaluating existing threats to entire software supply chain security.

OSC&R was created to establish a standard language and structure for comprehending and evaluating the tactics, techniques, and procedures (TTPs) utilized by attackers to breach the security of software supply chains. 

The goal is to provide the security community with a unified resource to evaluate their own approaches for securing software supply chains in advance and compare solutions, according to the framework’s founding members. 

“In one episode of Star Trek, while working on vulnerabilities of the Enterprise in relation to the threat actor, Mr. Spock said, ‘Insufficient facts always invite danger, Captain!’ The same certainly holds true in cybersecurity, where a lack of information increases vulnerability. By increasing the community’s knowledge, OSC&R holds tremendous potential to mitigate dangers to the software supply chain and reduce the attack surface more broadly,” said Dineshwar Sahni, director of product security at VISA who also just joined the consortium of cybersecurity leaders behind OSC&R.

OSC&R can be used by security teams to evaluate existing defenses, define which threats need to be prioritized, and how existing coverage addresses those threats, as well as to help track the behaviors of attacker groups.

The project was added to GitHub earlier this week and was also recently endorsed by former U.S. National Security Agency Director Admiral Mike Rogers.