Sonatype explores open source vulnerabilities in finance

Sonatype has released a new whitepaper exploring the top five open source vulnerabilities affecting financial institutions.

On the front line of any digital transformation is open source software. Today’s modern enterprise applications are composed of 85% open source components, so it is no exaggeration to say that open source is now everywhere. Therefore, it is imperative, now more than ever, that organisations automate open source governance accordingly. To do this, Sonatype Nexus is dedicated to helping businesses navigate their desire for speed without sacrificing security. 

Because they are operating within a highly regulated industry, financial service organisations (FSOs) face many unique challenges. Sonatype has found that many FSOs are using vulnerable third-party components in their software without even knowing that they are, posing a significant risk. To help them address these vulnerabilities and maintain security, Sonatype has released its ‘Top 5 Open Source Vulnerabilities in Financial Institutions’ white paper examining the most vulnerable components currently affecting the global finance industry. FinTech Magazine will explore each entry in greater detail as part of our forthcoming series on the topic; however, before that, we will further explore the background and motivation of Sonatype’s work. 

Sonatype Nexus works to provide purposeful digital transformations that deliver value to organisations, their customers and end-users by eliminating inefficiency and driving optimisation. To do this, Sonatype integrates automated open source governance policies across the DevOps pipeline. “Digital transformation is key to improving the customer experience, increasing productivity and efficiency and reducing time-to-market, so it’s no surprise that developers turn to open source to innovate more quickly,” says Sonatype. However, while the utility of open source lies in its innate flexibility, this can also pose its most significant challenge. Security, particularly within the highly regulated financial services sector, is paramount above all and squaring the circle of achieving a solid speed-safety ratio is a highly sought after prize; 24% of FSIs (financial service institutions) cite it as their primary concern.

It is crucial that companies understand the inherent vulnerabilities of open source, something which will only become prevalent as banks, insurers and other entities come under pressure from regulatory authorities. After all, as the whitepaper says, “open source isn’t easy in regulated industries.” On this topic, the company poses three questions to those operating within finance:

1. Are you aware of license obligations agreed by developers?
2. Can you remain compliant with open source policies and halt progress if components of the SDLC (systems development life cycle) are proved to be insecure?
3. Are you able to categorically and quantifiably prove that your apps are secure?

With one in four organisations having experienced a breach related to open source, Sonatype recommends automated solutions in order to bolster compliance, “shift security practices left and empower developers to select only the highest quality components.” The company’s Nexus suite can provide these solutions, ensuring that risk is managed at every stage of the SDLC. Powered by AI (artificial intelligence), ML (machine learning) software and a world-class research team, the available software includes:

• Nexus Lifecycle continually scans and assesses vulnerabilities
• Nexus Firewall prevents hazardous OSS from entering the SDLC
• Nexus Auditor examines components within production apps
• Nexus Repository manages libraries and builds artefacts

In our next article on the Sonatype whitepaper, FinTech Magazine will begin exploring the top five open source vulnerabilities