Improved application security for financial services
FS-ISAC identifies a new cyber attack risk in your "IT supply chain." Sonatype can help.
Data breaches, online banking security and the overall growing threat of cyber attacks concern all organizations, but perhaps none more than the financial services industry.
To address these concerns, the FS-ISAC (Financial Services – Information Sharing and Analysis Center) has released guidelines regarding security risk from "third party service and product providers."
Sonatype is a preferred application security vendor. Why?
FS-ISAC recommends Sonatype for "Policy management and enforcement of open source
libraries and components." With Component Lifecycle Management (CLM), you can:
Find and remediate
security problems early in development using the tools that your developers use everyday. No extra work or delays.
for open source security, license & quality with integration throughout your software development lifecycle.
to ensure trust over time, so you'll know when a new risk is discovered and exactly where you are impacted.
Why are components the "neglected 90%?" What's the risk?
Components are like LEGO building blocks that enable developers to build innovative new financial applications quickly. However, most application security methods focus on the source code that is written and compiled, not components that are downloaded and assembled.
Components comprise 90% of a typical application and 71% of these applications have at least one critical or severe vulnerability. Identifying and avoiding components with known vulnerabilities is an easily avoidable risk.
Wired Magazine: Aetna Chief Security Officer, Jim Routh, discusses component-based risk
"The good news is that reusable code has clearly arrived...the not so good news is that it has vulnerabilities in many of the most commonly used components. Estimates indicate that 46 million downloads in 2012 included insecure components or code with high-risk security vulnerabilities. Once the code is assembled by developers they often will not scan or test the security of the open source libraries, instead assuming that because it is commonly used it must be secure."