
Enhancing software supply chain security in financial services with Sonatype and AWS
8 minute read time
Financial services organizations prioritize software security as part of their risk management strategy. Open source components accelerate software development, and organizations benefit from implementing appropriate security controls to manage potential associated risks.
In a recent webinar "Securing Financial Services from Malware Threats: How Sonatype and AWS Safeguard Your Software Supply Chain," experts from Sonatype and Amazon Web Services (AWS) shared strategies to strengthen software supply chains and reduce risk exposure.
Participants included:
-
Hailey Todis (ViB) – Webinar host
-
Brian Kang – Partner Manager, Sonatype (Moderator)
-
Meredith Eisen – Director of Product Management, Sonatype
-
Arvind Ayyaswamy – Senior Technical Account Manager, AWS
Empowering financial services with secure open source practices
Open source packages require careful security evaluation, particularly in regulated industries like financial services. Sonatype's research from early 2019 to March 2025 documented 828,000 packages that contained potentially unauthorized code across public repositories including npm, PyPI, and NuGet.
While traditional security conversations often focus on vulnerabilities — unintentional flaws in code — malware represents intentional, targeted harm. Unlike vulnerabilities, which can be managed with compensating controls, potentially harmful code may impact systems during the development phase, before reaching production environments.
This highlights why organizations implement comprehensive security controls throughout the software development life cycle (SDLC), including tools that validate dependencies at the point of selection and continuously monitor for unexpected behavior.
Advancing secure software practices in the financial sector
With the rapid pace of digital transformation, financial services teams are advancing their systems while upholding rigorous security and compliance standards.
Financial institutions prioritize:
-
Modernization of systems and integration approaches.
-
Visibility into software supply chain components and dependencies.
-
Comprehensive security monitoring and response capabilities.
To maintain trust and integrity across their software supply chains, financial services teams are adopting solutions that verify the authenticity of open source components. Tools like Sonatype Lifecycle help prevent risks such as namespace confusion — where lookalike packages attempt to mimic trusted sources — by automatically evaluating components before they're introduced into development environments. Amazon Q Developer provides real-time security scanning during the coding process to identify vulnerabilities before they're committed to repositories.
Implementation of comprehensive validation processes helps organizations verify the authenticity of software components throughout the SDLC.
Enhancing software composition analysis with Sonatype
Software composition analysis (SCA) tools provide valuable capabilities for managing known vulnerabilities while complementary solutions can address additional software supply chain considerations.
Many SCA tools leverage vulnerability databases like the National Vulnerability Database (NVD), which focus primarily on unintentional code flaws rather than code designed to perform unauthorized actions. Traditional approaches often evaluate components after they've been introduced into the SDLC, while newer solutions can provide earlier validation.
Sonatype's approach goes beyond traditional SCA. With near real-time analysis of newly published components, Sonatype can evaluate code patterns and identify potential concerns within four minutes of release. This enables customers to block open source malware before it ever reaches a developer's environment.
AWS complements Sonatype's approach with Amazon CodeGuru Security, which uses machine learning to detect security policy violations and vulnerabilities in your code repositories. CodeGuru Security analyzes your application code for issues like resource leaks, input validation problems, and insecure cryptographic practices, which malware can use to exploit your applications and gain unauthorized access.
Regulatory pressures and the role of SBOMs
Global and industry-specific regulations are adding urgency to securing software supply chains:
-
Digital Operational Resilience Act (DORA) in the European Union (EU).
-
Payment Card Industry (PCI) Data Security Standard (DSS) v4.0 for payment card data protection.
-
Increasing software bill of materials (SBOM) requirements and adoption for enhanced visibility and streamlined compliance.
SBOMs provide valuable capabilities for software supply chain transparency, enabling organizations to track component versioning, understand dependencies, and leverage vulnerability exploitability exchange (VEX) data to prioritize remediation efforts based on actual impact to their environments. AWS offers SBOM generation capabilities through Amazon Inspector, which can export SBOMs in industry-standard formats including CycloneDX 1.4 and SPDX 2.3.
Building a resilient incident response strategy
Financial institutions can enhance their security posture by developing capabilities to identify and address potential security events with efficiency and accuracy. Incident response isn't a one-time setup. It must evolve alongside your tooling, team structures, and the growing security landscape.
The goal is to implement comprehensive security practices throughout the development lifecycle, providing teams with the tools and processes to maintain operational resilience and continuity. Modern development environments benefit from shifting security practices left in the SDLC, integrating security controls earlier in the process rather than focusing solely on production systems.
Financial institutions can enhance their security posture by developing operational capabilities that enable efficient and strategic responses.
That includes:
-
Comprehensive visibility into open source components, including their security attributes, license requirements, and software composition details to support audit processes.
-
Role-specific access to logs and forensic data, ensuring the right people can quickly analyze the source and impact of an incident without delay.
-
Collaborative playbooks that unite development, security, and operations teams around predefined incident workflows.
One Fortune 200 financial institution collaborated with Sonatype to evaluate their software supply chain security practices. Using Sonatype Repository Firewall, the organization identified over 75 software components requiring attention across tens of thousands of development machines. Specialized tools can complement existing security investments while shifting security validation earlier in the development process, helping their organization strengthen their overall security posture.
From detection to containment and recovery
A well-developed response plan enhances operational resilience by enabling teams to respond efficiently.
This includes:
-
Mapping potentially impacted components and their dependencies.
-
Assessing the scope of data exposure or operational disruption.
-
Executing a repeatable mitigation strategy to remove or quarantine malicious code.
-
Capturing detailed post-incident analysis to improve defenses moving forward.
Importantly, incident response plans should be living documents, updated regularly to reflect evolving tools, team roles, and emerging threats.
The ultimate goal extends beyond efficient response — it's to strengthen your software supply chain security posture and build resilience through continuous improvement.
Where to begin with malware defense and mitigation
For organizations beginning their journey to secure the software supply chain, the first step is visibility. Understanding what components you're using, their security attributes, and appropriate management strategies provides a strong foundation.
Sonatype offers tools that can help you build that foundation and scale your security efforts with confidence.
To get started:
-
Audit your current usage of open source components to identify what's already in your ecosystem. Sonatype Lifecycle provides detailed insights into component health, security vulnerabilities, license obligations, and potential malware risks.
-
Map out your vulnerabilities, license risks, and malware exposure so you can prioritize the most critical issues.
-
Establish policies to automatically block high-risk components — including malicious packages, severe vulnerabilities, and non-compliant licenses — before they ever enter your development environment. Sonatype Repository Firewall can help enforce these policies at the proxy level.
-
Request and analyze SBOMs from your vendors to better understand the risk posture of third-party software. Sonatype SBOM Manager helps you manage and monitor SBOMs over time, including changes in component health and the inclusion of VEX data.
-
Choose a strategic starting point — such as a high-priority application or team — and use it as a proving ground to refine your approach before expanding organization-wide.
AWS complements these approaches with security services that extend protection throughout the development lifecycle. Implement detection capabilities early with Amazon Q Developer and Amazon CodeGuru Security to identify vulnerabilities during the coding process. Secure your container pipeline with Amazon ECR image scanning and protect your runtime environment with Amazon GuardDuty's malware detection capabilities for EC2 instances and S3 objects - and through Amazon EventBridge integration - you can configure automated workflows to isolate affected resources and notify security teams, accelerating containment efforts.
Starting small with the right visibility and controls can quickly scale into a proactive, enterprise-wide defense against malware and other supply chain threats.
To learn more about protecting your software supply chain from malware attacks and threats, check out our webinars on software security, compliance, and open source best practices.

Aaron is a technical writer on Sonatype's Marketing team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they ...
Explore All Posts by Aaron Linskens
Dylan Souvage is a Partner Solutions Architect at AWS, based in Austin, Texas. Dylan loves working with customers from early stage startups to F500 enterprises to understand their business needs and enable them in their cloud journey. In his spare time, he enjoys going out in nature and going on ...

Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.