The OSS Secure Supply Chain Framework is a security assurance and risk reduction process that is focused on securing how developers consume open source software.

Who is this intended for? This is a consumption-focused secure supply chain framework using a threat-based risk-reduction approach. The OSS SSC Framework aims to prevent the consumption of compromised and malicious OSS packages, and decrease the Mean Time To Remediate (MTTR) for addressing known vulnerabilities in OSS. The OSS SSC Framework provides security guidance and tools throughout the developer inner-loop and outer-loop processes. 

The Microsoft OSS SSC Framework is based on three core concepts—control all artifact inputs, continuous process improvement, and scale:

Diagram.jpg

Diagram.jpg

Download the guide

The OSS SSC Framework is a combination of processes and tools for any organization to adopt, along with a capability maturity roadmap to help establish a secure OSS ingestion process to protect developers from OSS Supply Chain threats, and to establish a governance program to manage your organization’s use of OSS.