OX Security, the pioneer in Active Application Security Posture Management (Active ASPM), today issued the OSC&R community’s inaugural software supply chain threat report, "OSC&R in the Wild...
Autore: Business Wire
OX Researchers Analyze Millions of Vulnerabilities Against the Industry’s First Supply-Chain Security Specific Attack Matrix
NEW YORK & TEL AVIV, Israel: OX Security, the pioneer in Active Application Security Posture Management (Active ASPM), today issued the OSC&R community’s inaugural software supply chain threat report, "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures." Based on a nine-month analysis of over 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications, the report is the first comprehensive analysis of the severity of vulnerabilities across the software supply kill chain. OSC&R in the Wild quantifies the ongoing challenge of detecting and remediating severe security risks among the 97% of benign alerts, and offers guidance for adopting a more proactive, attacker-centric security strategy.
The Open Software Supply Chain Attack Reference (OSC&R) framework, first published in early 2023, was developed collaboratively by cybersecurity veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, FICO, and more. OSC&R is a MITRE ATT&CK-like framework that gives organizations a single point of reference to proactively assess their strategies to secure their software supply chains. The goal of this inaugural OSC&R report is to help AppSec teams better understand how adversaries view and target the entire kill chain, and to help prioritize where best to focus their limited resources.
The report found that many applications contained multiple vulnerabilities spanning various stages of the kill-chain, leaving them even more vulnerable to a successful attack. And a surprising number of long-documented vulnerabilities were still frequently found in the wild. For instance, older tactics such as backdoor code insertion remain prevalent. The recently discovered CVE-2024-3094 exploit, targeting XZ Utils in major Linux distributions, shows that attackers still successfully use this method. The widespread presence of these vulnerabilities in the report’s code samples underscores the persistent risk.
Key Findings include:
“One of the questions our researchers sought to answer was whether there was alignment between the vulnerabilities found in the wild and the focus of AppSec teams,” said Neatsun Ziv, CEO of OX Security. “The data suggests there is a misalignment. We found significant vulnerabilities at every stage of the kill chain. The volume of vulnerabilities passing through the supply chain into live applications, and the high percentage of organizations reporting incidents, indicate that AppSec teams need to focus on both threat detection and fostering a culture of continuous improvement and adaptation in security practices.”
Utilizing the OSC&R framework with Application Detection and Response (ADR) and Application Security Posture Management (ASPM), organizations can gain a comprehensive understanding of their software supply chain vulnerabilities, adopting a more proactive, attacker-centric security strategy. This approach will help foresee potential threats and implement robust defenses, ultimately reducing the likelihood of severe vulnerabilities reaching production code.
“As reliance on software supply chains has increased for enterprise application development, attackers have been quick to exploit vulnerabilities within third-party code,” said David Cross, former Microsoft and Google cloud security executive and founding OSC&R member. “The OSC&R report underscores the critical importance of the OSC&R framework in addressing software supply chain vulnerabilities. The report not only highlights the pervasive nature of these threats but also provides a comprehensive methodology for AppSec teams to prioritize their efforts effectively. By leveraging the OSC&R framework, organizations can gain deeper insight into adversarial behaviors and better align their security strategies to mitigate risks. It's an invaluable resource for any organization looking to strengthen their software supply chain security posture.”
Download the full "OSC&R in the Wild: A New Look at the Most Common Software Supply Chain Exposures" report here.
About the OSC&R Community
The Open Software Supply Chain Attack Reference (OSC&R) community is a collaborative effort dedicated to enhancing the security of software supply chains. Launched in February 2023 and spearheaded by OX Security, the community includes cybersecurity veterans from OX Security, Microsoft, Oracle, GitLab, Fortinet, and FICO. These experts created the OSC&R framework, modeled after MITRE ATT&CK, to help organizations assess their software supply chain security strategies, identify vulnerabilities, and compare solutions effectively. As an open-source framework, OSC&R provides actionable insights into the tactics, techniques, and procedures (TTPs) used by adversaries to compromise software supply chains. By providing a standardized language and framework, OSC&R empowers the security community to proactively secure software supply chains and mitigate risks. For more information, visit pbom.dev or join the conversation and contribute to our Slack community.
About OX Security
At OX Security, we’re unifying application security (AppSec) with the first-ever Active ASPM platform, which ensures seamless visibility and traceability from code to cloud. Leveraging our proprietary AppSec Data Fabric, OSC&R framework, and Attack Path Reachability Analysis, OX delivers comprehensive security coverage, contextualized prioritization, and automated response and remediation throughout the software development lifecycle. Recently recognized as a Gartner Cool Vendor and a SINET 16 Innovator, OX is trusted by dozens of global enterprises and tech-forward companies. Founded by industry leaders Neatsun Ziv, former VP of CheckPoint’s Cyber Security business unit, and Lior Arzi from Check Point's Security Division, OX’s Active ASPM platform is more than a solution; it empowers organizations to take the first step toward eliminating manual AppSec practices while enabling scalable and secure development.
Fonte: Business Wire