Community Blog

Strengthening financial software security: A holistic approach to compliance and operational resilience

Written by FINOS Team | 9/10/24 1:22 PM

Financial services institutions worldwide are facing increasingly stringent regulations, with added complexity for those operating in multiple regions.

Those operating in Europe will be keenly aware of DORA, the Digital Operational Resilience Act. This regulation emphasizes a comprehensive approach to managing cybersecurity risks, especially those related to software supply chains.

As active contributors and members of FINOS, Sonatype has observed a rising energy in the community to create value for its members and consumers of its projects especially regarding security and compliance for regulations. To better understand the value being created by the community, let’s take a closer look at the complexities of recent regulatory changes.

Author: Aaron Linskens, Technical Writer, Sonatype


 

Navigating DORA and U.S. cybersecurity regulations

Put forth in the European Union, DORA sets high standards for ensuring operational resilience across the financial sector. It aims to ensure financial entities can withstand, respond to, and recover from all types of information and communications technology disruptions and threats.

DORA emphasizes vulnerability management in software systems and mandates financial institutions regularly assess and address vulnerabilities, focusing on those threatening critical infrastructure integrity.

In the U.S., executive orders and new regulations increasingly push for cybersecurity incident disclosures and operational resilience. Although regulations are fragmented, high-level directives demand greater transparency in cybersecurity practices. U.S. financial institutions must comply with cybersecurity incident disclosure requirements, promptly reporting breaches and vulnerabilities to regulators and affected parties.

As regulations increasingly emphasize enhanced security via vulnerability management, Sonatype believes this goal can be achieved with better software composition analysis (SCA) and better management of software dependencies.

 

Securing open source dependencies

As a unique value for FINOS members, Sonatype is working with the FINOS Board of Directors to create a custom-tailored dependency consumption analysis for members.

Drawing on exclusive insights gained from Maven Central, participating members will receive a report on when, where, and how their software teams are ingesting open source dependencies. In many cases, report recipients will find that additional processes and tools will be needed to bring their organization into compliance with regulations that they previously expected were met.

Following this effort, members have been invited by FINOS to aggregate findings into a comprehensive report that can be used by Tidelift in a special effort led by FINOS Staff. This initiative aims to make targeted security improvements to the most widely used open source packages, making supply chain security regulation compliance easier.

 

Automated support for financial software security

Guided by FINOS staff and its Technical Oversight Committee, the community increasingly incorporates industry best practices into open source software production.

Efficient vulnerability management relies on automation, where SCA tools are crucial for managing vulnerabilities in open source software.

As institutions of all sizes depend on open source, SCA is now a cornerstone of effective cybersecurity, helping identify and manage vulnerabilities in their dependencies, especially in open source libraries and frameworks.

By implementing robust SCA tools, financial institutions can:

  • Monitor open source components in their software supply chain.
  • Identify known vulnerabilities in those components.
  • Prioritize vulnerabilities based on their impact and exploitability.
  • Track and manage software licenses to ensure compliance with licensing obligations.

Transforming project security with Morphir

While many security advisories and insights are provided to projects by the Linux Foundation’s LFX platform, the FINOS Morphir project has recently brought advanced SCA tooling into its CI/CD pipelines.

SCA tools can be seamlessly integrated into a financial institution’s software development life cycle, offering ongoing surveillance of vulnerabilities in open source components. By incorporating SCA with a policy-based approach, FINOS staff and maintainers are able to control the noise levels by selecting which elements are most important for the foundation.

 

 

More FINOS projects are adopting this comprehensive SCA tooling in a single dashboard, enabling FINOS Staff to support maintainers in protecting their projects from open source malware. This initiative delivers value to users of FINOS open source software, reducing the steps needed to mitigate risks when using applications or systems like Morphir.

 

 

Centralizing compliance for cloud services

Parallel to the discussion of open source package use is the topic of cloud services consumption, an equally critical element of enterprise supply chain security.

Through the Common Cloud Controls (CCC) project and related initiatives, Sonatype is part of a community effort working to create a standard to boost cloud adoption, security, and compliance.

 

The community has made significant progress in defining a common taxonomy for cloud services, a crucial step often overlooked due to the wide array of similar services each Cloud Service Provider offers. This evolving taxonomy highlights the essential features required for a service to be considered “portable” or equivalent within its category. The project aims to facilitate true hybrid-cloud adoption by certifying service interoperability.

Building on this progress, the community will release threat and control artifacts linked to features of each service category. These threats are mapped to standards like MITRE ATT&CK, providing quick references for financial services GRC teams. Similarly, CCC’s controls align with mitigations from frameworks like CCM, ISO 27001, and NIST 800-53. In collaboration with

FS-ISAC members, the FINOS community is developing infrastructure as code for secure-by-default deployment, enabling rapid deployment by teams. This collaboration also involves creating plugin-based validation tests to ensure CCC compliance.

 

Building operational resilience and compliance

As cybersecurity regulations evolve globally, financial institutions face pressure to boost digital resilience. Frameworks like DORA in Europe, alongside global regulations, require a proactive approach to managing vulnerabilities, especially in open source.

By implementing SCA along with vulnerability management strategies, financial institutions ensure compliance and enhance security. Robust SCA tools help monitor and manage software supply chain vulnerabilities, keeping them compliant and resilient against cybersecurity threats.

Adopting these practices allows financial institutions to confidently navigate complex regulations, safeguarding systems and contributing to a secure global financial ecosystem.

 

JOIN US AT THE OPEN SOURCE IN FINANCE FORUM (OSFF) THIS YEAR