News and Notes from the Makers of Nexus | Sonatype Blog

Banking on Built-in Security Checks

Written by Derek Weeks | April 28, 2016

You’ve seen the headlines: Financial services are a top target for hackers. From breaches at Anthem to cyberattacks at JPMorgan Chase, cybercrime has repeatedly been bad news for financial services companies, affecting not just customer accounts but share prices as well.


The good news is financial services companies are beginning to shield themselves from breaches by activating automatic security checks in their applications as they build them. Applications are one of the largest attack surface areas for hackers. By building in security checks early in the development cycle, risks reduce dramatically, and everyone benefits: developers, the application security team and even a company’s shareholders.

Proof comes from a recent collaboration between Red Hat®, Sonatype and one of the world’s largest global financial services firm on creating a secure software development lifecycle (SDLC). During a recent webinar  webinar we jointly explored how the firm is establishing a clean open source supply chain, meeting both software development and application security goals. Modern development practices are augmented by built-in software supply chain visibility and management. Software builds are analyzed to identify any components with known vulnerabilities while in the continuous integration pipeline—a habit Forrester Research  recommends for Rugged DevOps to accelerate releases while maintaining stronger security.  The firm can track and trace what components are used and where. That’s critical considering 80% of the average application is made of third-party and open-source components.

The security (and quality) checks can actually start even earlier in the SDLC than that.  Direct integration into the IDE and Repository Manager gives developers immediate feedback on whether a component is suitable based on known security vulnerabilities, component age, version, and license obligations. If a component doesn’t meet a security or compliance requirements, the developer gets actionable intelligence on alternative components to use.

Early risk detection in the SDLC is consistent with the trend in Agile, CI/CD and now DevOps to “shift left” by moving testing from post-release to pre-release. It’s a win-win situation: Security policies are incorporated into the pre-release processes through automation, insight and integration. This creates a culture of quality that scales with the pace and volume of modern software development. This in turn builds trust between development and application security.

Learn more about how this financial leader and others are securing their open source supply chain in this recorded webinar on How to Secure Your Open Source Supply Chain. Watch this webinar to get tips on how to build your own secure supply chain using Red Hat enterprise software and Sonatype tools. Bank on that!