Sonatype explores open source vulnerabilities in finance
On the front line of any digital transformation is open source software. Today’s modern enterprise applications are composed of 85% open source components, so it is no exaggeration to say that open source is now everywhere. Therefore, it is imperative, now more than ever, that organisations automate open source governance accordingly. To do this, Sonatype Nexus is dedicated to helping businesses navigate their desire for speed without sacrificing security.
Because they are operating within a highly regulated industry, financial service organisations (FSOs) face many unique challenges. Sonatype has found that many FSOs are using vulnerable third-party components in their software without even knowing that they are, posing a significant risk. To help them address these vulnerabilities and maintain security, Sonatype has released its ‘’ white paper examining the most vulnerable components currently affecting the global finance industry. FinTech Magazine will explore each entry in greater detail as part of our forthcoming series on the topic; however, before that, we will further explore the background and motivation of Sonatype’s work.
Sonatype Nexus works to provide purposeful digital transformations that deliver value to organisations, their customers and end-users by eliminating inefficiency and driving optimisation. To do this, Sonatype integrates automated open source governance policies across the DevOps pipeline. “Digital transformation is key to improving the customer experience, increasing productivity and efficiency and reducing time-to-market, so it’s no surprise that developers turn to open source to innovate more quickly,” says Sonatype. However, while the utility of open source lies in its innate flexibility, this can also pose its most significant challenge. Security, particularly within the highly regulated financial services sector, is paramount above all and squaring the circle of achieving a solid speed-safety ratio is a highly sought after prize; 24% of FSIs (financial service institutions) cite it as their primary concern.
It is crucial that companies understand the inherent vulnerabilities of open source, something which will only become prevalent as banks, insurers and other entities come under pressure from regulatory authorities. After all, as the whitepaper says, “open source isn’t easy in regulated industries.” On this topic, the company poses three questions to those operating within finance:
- Are you aware of license obligations agreed by developers?
- Can you remain compliant with open source policies and halt progress if components of the SDLC (systems development life cycle) are proved to be insecure?
- Are you able to categorically and quantifiably prove that your apps are secure?
With one in four organisations having experienced a breach related to open source, Sonatype recommends automated solutions in order to bolster compliance, “shift security practices left and empower developers to select only the highest quality components.” The company’s Nexus suite can provide these solutions, ensuring that risk is managed at every stage of the SDLC. Powered by AI (artificial intelligence), ML (machine learning) software and a world-class research team, the available software includes:
- Nexus Lifecycle continually scans and assesses vulnerabilities
- Nexus Firewall prevents hazardous OSS from entering the SDLC
- Nexus Auditor examines components within production apps
- Nexus Repository manages libraries and builds artefacts
In our next article on the Sonatype whitepaper, FinTech Magazine will begin exploring the top five open source vulnerabilities
Singapore FinTech Association launches new networking club
The Singapore FinTech Association (SFA) has announced the launch of a new SG FinTech Club, which will act as hub that enhances networking among local fintech companies based in Singapore.
The APAC nation, which is a leading regional centre for fintechs, accounting for 13% of Singapore’s GDP in 2020. More than 1,400 fintech companies are based there, employing an estimated 10,000 people.
Technology is a driving factor within the space, and the SG FinTech Club will act as a base through which knowledge, resources and connections can be shared, as a way to increase the level of expertise in the space.
According to reports, the SFA will also develop and curate the engagement programmes for the fintech ecosystem. SG FinTech Club members will benefit from hospitality privileges offered by Supporting Partners , such as co-working spaces, which they can leverage on for social engagements.
The club’s existing membership platform will also enable users to sign up for talent matchmaking sessions, industry expert mentorship programmes, and masterclasses organised by SFA.
SG Fintech Club partnerships
The initiative has attracted the attention of several global fintech leaders, including the Institute of Banking and Finance (IBF). J.P. Morgan has also joined the club as Supporting Partner and Corporate Partner, respectively, to develop skills and career development events.
Speaking about the launch of the new club, Shadab Taiyabi, President of SFA, explained, “We are proud to collaborate with MAS on the launch of SG FinTech Club, and play our part in contributing to Singapore’s thriving FinTech ecosystem.
“We hope that the Club would be the key platform for inspiration and innovation, where professionals in the financial services sector can come to exchange opinions, network, and explore endless ideas with other like-minded individuals.
He continued, “Through the Club, we strive to champion and bolster Singapore’s FinTech entrepreneurship growth, facilitate the sharing of insights, collaborations, discussions and advocate the importance of upskilling amongst professionals across the financial services industry.”
Image credit: Singapore FinTech Association event