OSC&R, OpenVEX, C-SCRM set to tackle supply chain attacks

The OSC&R (Open Software Supply Chain Attack Reference), Open Visibility Exploitability eXchange (OpenVEX), a tool for addressing vulnerabilities in enterprise software, and cyber supply chain risk management (C-SCRM), are set to help enterprises combat supply chain attacks. The tools will provide a common framework for evaluating and measuring the risk to their supply chains.

OSC&R is a framework that enables a thorough, systematic, and actionable understanding of attacker behaviors and techniques used to compromise the software supply chain. OSC&R provides valuable and objective insights into an attack’s target and current phase.

The OSC&R is designed to provide organizations with a common language and tools for understanding attack tactics and defenses, prioritizing threats, and tracking the behavior of threat groups. It will also be updated as new tactics emerge, and it will aid in red-team penetration exercises, with input from other vendors.

While OpenVEX is designed to meet the minimum requirements defined by the United States government’s CISA cybersecurity agency and will help reduce false-positives and improve the quality of SBOMs, it is not without limitations (software bill of material). It will enable software vendors to communicate precise, actionable metadata, improving the signal-to-noise ratio and providing critical context to vulnerability warnings.

It will also make it easier for software developers to accurately describe the exploitability of their artifacts, as well as for software consumers to filter out false positives from vulnerability scanners.

While the Cybersecurity and Infrastructure Security Agency has established a new office to assist government and industry partners in implementing supply chain risk management policies within their organizations. The office caters for C-SCRM which will address issues ranging from counterfeit components to open-source software vulnerabilities.

The sources for this piece include an article in TheRegister.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web