We built the S2C2F as a consumption focused framework that uses a threat based, risk reduction approach to mitigate real world threats. One of its primary strengths is how well it pairs with any producer focused framework, such as SLSA. The framework enumerates a list of real world supply chain threats specific to OSS and explains how the frameworks requirements mitigate those threats. It also includes a high level platform and software agnostic set of focuses that are divided into eight...

Read the full article at Microsoft Press