How Banks Can Prevent Software Supply Chain Attacks by Integrating TP Risk Intelligence with the Software Bill of Materials (SBOMs)
A growing amount of proprietary software applications contain open-source code. This introduces multiple risk domains, including issues such as licensing terms and software vulnerabilities, along with the growing need to mitigate operational risks by proactively identifying malicious code. Coupled with the increase in the number and complexity of third-party relationships required to support business operations, banks expose themselves and their customers to greater risk when those components are exposed to critical vulnerabilities or do not conform to company policies.
According to the 2021 Open Source Security and Risk Analysis (OSSRA) report, 84% of the codebases audited contained at least one public open source vulnerability, with 60% of codebases containing high-risk open source vulnerabilities. Furthermore, 65% of the audited codebases contained open-source software with license conflicts.
Recent incidents such as the highly publicized SolarWinds breach illustrate the potential impacts of malicious code and the resulting need for increased visibility into the software supply chain, including an understanding of the specific “ingredients” contained in a software package. This has led to government cybersecurity measures that require software vendors to create a software bill of materials (SBOM) describing the components used in creating a software package, including a May 2021 Executive Order on Cybersecurity issued by the Biden administration.
New Attacks Require Novel Solutions
As these software supply chain attacks increase, risk management leaders must expand their efforts across the growing ecosystem of third parties. This is particularly true in the financial services industry, which is highly interconnected and governed by stringent regulations. For example, a third party such as a software vendor that is hacked could result in increased operational risk by creating disruption, leaving a bank with a downed system.
However, according to Gartner®, given the complexity of information and communications technology (ICT) supply chain ecosystems and the sheer scale of data and assets to protect, security and risk management efforts are still largely in the awareness phase and remain siloed. This can leave an organization exposed.
If an incident occurs with either an open-source or commercial software product supplied by a third party, a bank must be able to very quickly identify which of its functional areas will be impacted. After the news of a breach breaks, regulators such as the Consumer Financial Protection Bureau (CFPB), the Office of the Comptroller of the Currency (OCC) or others will be one step behind to determine how quickly the organization can address any impacts.
Unfortunately, this response often occurs only after a breach has been detected and the damage has been done since many banks cannot efficiently monitor a list of thousands of different software ingredients, typically located throughout the organization, on an ongoing basis. Banks rarely have one single view of their third-party risk, requiring a lot of manual effort to pull information and monitor it for risk.
Leveraging AI and NLP to Continuously Monitor the SBOM to Help Prevent Software Supply Chain Attacks
A “shift left” approach can help ensure software supply chain attacks are proactively prevented rather than reactively defended. Shift left, a practice used by software developers to find and prevent defects early in the software delivery process, improves quality by addressing the most vulnerable tasks as early in the lifecycle as possible.
This approach requires advanced technologies such as automated third-party risk intelligence solutions to augment highly manual processes. Rather than managing SBOMs in disparate Excel spreadsheets or programs, they can all be pulled into one central system for continuous monitoring and mitigation. This enables integration with additional data sources that can provide information on potential open-source software vulnerabilities, such as financial health, negative news announcements, the deep web and more.
Sophisticated technologies such as artificial intelligence (AI) and natural language processing (NLP) continuously monitor and analyze data to offer contextualized insights that provide near real-time alerts and potential impacts of emerging threats based on concentration risk analysis. Automated third-party risk intelligence solutions can also be integrated to support similar processes from tools such as software composition analysis (SCA) programs that identify software packages that contain vulnerabilities as well as the license used to distribute a software package to support the assessment of legal risks.
AI is key to this process as it can uniquely handle and evaluate unstructured data, enabling automated third-party risk intelligence solutions to extract data from numerous sources and turn it into actionable insights about a bank’s risk exposure to potential software vulnerabilities. This enables risk managers to model the potential cascading effects from a risk event across their supply chain by allowing users to view concentration risk from whatever aggregator they choose such as geographic location, 4th parties or other vulnerabilities.
In fact, risk management lends itself particularly well to these capabilities, as risk issues frequently include unlikely and/or ambiguous events. This helps banks strengthen their third-party risk management (TPRM) programs to anticipate, identify and adapt to the accelerated risk environment.
Do you want to learn more about how third-party risk intelligence platforms can help banks prevent software supply chain attacks? Contact us today!