Sonatype explores open source vulnerabilities in finance

By William Girling
Sonatype has released a new whitepaper exploring the top five open source vulnerabilities affecting financial institutions...

Sonatype has released a new whitepaper exploring the top five open source vulnerabilities affecting financial institutions.

On the front line of any digital transformation is open source software. Today’s modern enterprise applications are composed of 85% open source components, so it is no exaggeration to say that open source is now everywhere. Therefore, it is imperative, now more than ever, that organisations automate open source governance accordingly. To do this, Sonatype Nexus is dedicated to helping businesses navigate their desire for speed without sacrificing security. 

Because they are operating within a highly regulated industry, financial service organisations (FSOs) face many unique challenges. Sonatype has found that many FSOs are using vulnerable third-party components in their software without even knowing that they are, posing a significant risk. To help them address these vulnerabilities and maintain security, Sonatype has released its ‘Top 5 Open Source Vulnerabilities in Financial Institutions’ white paper examining the most vulnerable components currently affecting the global finance industry. FinTech Magazine will explore each entry in greater detail as part of our forthcoming series on the topic; however, before that, we will further explore the background and motivation of Sonatype’s work. 

Sonatype Nexus works to provide purposeful digital transformations that deliver value to organisations, their customers and end-users by eliminating inefficiency and driving optimisation. To do this, Sonatype integrates automated open source governance policies across the DevOps pipeline. “Digital transformation is key to improving the customer experience, increasing productivity and efficiency and reducing time-to-market, so it’s no surprise that developers turn to open source to innovate more quickly,” says Sonatype. However, while the utility of open source lies in its innate flexibility, this can also pose its most significant challenge. Security, particularly within the highly regulated financial services sector, is paramount above all and squaring the circle of achieving a solid speed-safety ratio is a highly sought after prize; 24% of FSIs (financial service institutions) cite it as their primary concern.

It is crucial that companies understand the inherent vulnerabilities of open source, something which will only become prevalent as banks, insurers and other entities come under pressure from regulatory authorities. After all, as the whitepaper says, “open source isn’t easy in regulated industries.” On this topic, the company poses three questions to those operating within finance:

  1. Are you aware of license obligations agreed by developers?
  2. Can you remain compliant with open source policies and halt progress if components of the SDLC (systems development life cycle) are proved to be insecure?
  3. Are you able to categorically and quantifiably prove that your apps are secure?

With one in four organisations having experienced a breach related to open source, Sonatype recommends automated solutions in order to bolster compliance, “shift security practices left and empower developers to select only the highest quality components.” The company’s Nexus suite can provide these solutions, ensuring that risk is managed at every stage of the SDLC. Powered by AI (artificial intelligence), ML (machine learning) software and a world-class research team, the available software includes:

  • Nexus Lifecycle continually scans and assesses vulnerabilities
  • Nexus Firewall prevents hazardous OSS from entering the SDLC
  • Nexus Auditor examines components within production apps
  • Nexus Repository manages libraries and builds artefacts

In our next article on the Sonatype whitepaper, FinTech Magazine will begin exploring the top five open source vulnerabilities


Featured Articles

The challenges of address data in cross-border payments

A truly global solution is critical to meeting cross-border needs at scale, writes Loqate, a leading developer of global address verification solutions

Top 10 fintech disruptions to watch out for in 2023

From new technologies to tough regulations for crypto, 2023 is already looking like a year of change for fintech.

PBF CEO, Morgan McKenney on blockchain, DeFi & tokenization

Morgan McKenney is the CEO of the Provenance Blockchain Foundation (PBF). We caught up with her to talk advances in blockchain technology and 2023 trends

UAE-based BNPL fintech Tabby secures $58mn in Series C round

Digital Payments

Why seamless cross-border payments transform transactions

Digital Payments

Top 10 mobile banking apps of 2022 by number of downloads