Financial news

Are financial firms on top of software supply chain risks? 

At a time dominated by digital transformation, financial institutions face unique challenges in securing their software supply chains. The integration of open-source software (OSS) whilst driving innovation, also introduces complex cybersecurity risks.  

In this Q&A, Yoav Ziv, Chief Customer Officer at Checkmarx explores the potential threats that open-source software can pose to financial firms, and how they can address these risks and maintain trust with their customers.

What are the risks around the use of open-source software in the financial sector? 

The use of OSS is quite common in the financial sector since these components enable software to be created more efficiently and at lower costs. Whether a firm is large enough to invest in developing its own software tools or simply using solutions created elsewhere, there is a high chance of open-source code being included.  

However, this introduces several risks, particularly around targeted supply chain attacks. In 2023, we detected the first recorded OSS supply chain attacks targeting the banking sector. These sophisticated attacks often involve embedding malicious code within OSS components. This poses a significant threat to financial organisations due to their interconnected systems and reliance on digital platforms. 

The primary risk is unauthorised access. Attackers exploiting OSS vulnerabilities can breach financial systems, leading to data leaks or service disruptions. These breaches not only have financial implications but also erode customer trust – a critical risk in a sector where trust is so important.  

Data integrity is a particular concern since firms routinely handle sensitive information for clients. Additionally, the complexity of financial systems means a breach in one area can quickly escalate, causing widespread issues.  

What are the key challenges and solutions for maintaining trust in the use of open-source software within the financial sector’s digital assets? 

For firms developing their own in-house software, maintaining trust in open-source assets presents unique challenges. The main issue is ensuring the security and integrity of OSS, which is increasingly used in critical financial applications. This involves a multi-faceted approach. 

Attackers exploiting OSS vulnerabilities can breach financial systems, leading to data leaks or service disruptions.

Firstly, implementing robust Software Composition Analysis (SCA) is crucial. SCA tracks OSS packages used within an organisation, helping to identify known vulnerabilities. Generating Software Bills of Materials (SBOMs) is also essential, providing a comprehensive list of all OSS components in use, which aids in risk assessment and management. SBOMs are mandatory for US government agencies under the 2021 executive order, and the practice is highly recommended by ENISA and the NCSC.  

Another challenge is monitoring the reputation of OSS projects. Financial institutions should look out for sudden changes in package publishing routines or other anomalous activities, which could indicate security risks. Both static and dynamic analyses of package behaviour are necessary to detect potential vulnerabilities. 

To maintain trust, financial institutions must also ensure transparency with their customers and stakeholders about their use of OSS and the measures taken to secure it. This includes clear communication about security practices and regular updates on how OSS-related risks are managed. 

For firms that do not develop their own software, it’s important to take this same approach with the vendors of any software they use. Ask for details on how the solutions use OSS, and what steps are in place to secure them against supply chain risks.   

What technical measures should financial firms adopt to enhance their cybersecurity posture? 

In response to the increasing number of targeted attacks on the banking sector’s software supply chain, financial firms need to adopt a comprehensive set of technical measures to bolster their cybersecurity posture.  

Firstly, integrating security into every stage of the software development lifecycle is key. This involves employing advanced tools for continuous monitoring and detection of vulnerabilities, particularly in open-source components. Implementing automated security testing and regular code reviews can help identify potential threats early on in the development process. 

Another critical measure is the use of AI-driven security solutions. These can provide enhanced capabilities in detecting complex threats and anomalies that traditional methods might miss. AI can also assist in reducing false positives, allowing security teams to focus on genuine threats. 

Financial firms should also focus on securing their development environments. This includes ensuring that developers use secure coding practices and have access to tools that help them write more secure code. Regular training and awareness programmes for developers are essential to keep them updated on the latest security practices and threats. 

Additionally, firms should have strategies in place to protect against emerging threats like AI package hallucinations and dependency confusion. This might involve more rigorous vetting of third-party components and increased collaboration with trusted vendors and security partners. 

Complementing the tech side, what strategic and process-based measures should financial firms adopt? 

Addressing the complexity of software supply chains requires a blend of strategic and process-based measures. A holistic approach to security is essential, integrating it into the core business strategy and operational processes. 

Addressing the complexity of software supply chains requires a blend of strategic and process-based measures.

Strategically, financial firms should prioritise security at the board level, ensuring it is a key component of all business decisions. This involves aligning security practices with business objectives, making security a part of the organisational culture rather than an afterthought. Senior management should drive this initiative, setting clear policies and allocating adequate resources for security initiatives. 

From a process standpoint, firms need to establish a comprehensive framework for managing software supply chain risks. This includes conducting thorough risk assessments, implementing robust security protocols, and ensuring continuous monitoring and auditing of the supply chain. Regular updates and patches to software components, along with stringent vendor management practices, are crucial to safeguard against vulnerabilities. 

Our overarching advice is that firms should adopt a proactive approach to security, anticipating potential threats and preparing contingency plans. This involves staying abreast of the latest cybersecurity trends and threats, and continuously updating and adapting security measures. 

In essence, managing the complexity of software supply chains in the financial sector requires a strategic, top-down approach, combined with rigorous process-based measures, to ensure robust and resilient cybersecurity practices. 

Executive Profile 

Yoav Ziv is a transformative technology and business executive with extensive experience in transforming and running global enterprises, integrating commercial, economic, technology, and people aspects to drive transformations that result in better growth and more efficient businesses.