February 6, 2023

The OSC&R (Open Software Supply Chain Attack Reference), Open Visibility Exploitability eXchange (OpenVEX), a tool for addressing vulnerabilities in enterprise software, and cyber supply chain risk management (C-SCRM), are set to help enterprises combat supply chain attacks. The tools will provide a common framework for evaluating and measuring the risk to their supply chains.

OSC&R is a framework that enables a thorough, systematic, and actionable understanding of attacker behaviors and techniques used to compromise the software supply chain. OSC&R provides valuable and objective insights into an attack’s target and current phase.

The OSC&R is designed to provide organizations with a common language and tools for understanding attack tactics and defenses, prioritizing threats, and tracking the behavior of threat groups. It will also be updated as new tactics emerge, and it will aid in red-team penetration exercises, with input from other vendors.

While OpenVEX is designed to meet the minimum requirements defined by the United States government’s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs, it is not without limitations (software bill of material). It will enable software vendors to communicate precise, actionable metadata, improving the signal-to-noise ratio and providing critical context to vulnerability warnings.

It will also make it easier for software developers to accurately describe the exploitability of their artifacts, as well as for software consumers to filter out false positives from vulnerability scanners.

While the Cybersecurity and Infrastructure Security Agency has established a new office to assist government and industry partners in implementing supply chain risk management policies within their organizations. The office caters for C-SCRM which will address issues ranging from counterfeit components to open-source software vulnerabilities.

The sources for this piece include an article in TheRegister.