Today, application attacks and breaches are often the result of easily exploited – and easily rectified – open source vulnerabilities. While we hope companies would self-regulate their cybersecurity hygiene in our software-driven world, daily breach headlines indicate that government, associations and third-party regulations might be a necessary motivator for action.
One such entity that has recently decided to take action, through new standards to protect the Turkish citizenry, is the Banking Regulation and Supervision Agency (BRSA.) The agency introduced Regulations requiring banks to more aggressively protect customer data, payment information and create safer transactions.
As stated by Mondaq "the Regulation will have significant impact on business operations carried out by (i) banks, (ii) auditing firms, (iii) technology firms offering outsource services to banks, (iv) firms offering open banking products." And, they aren't to be taken lightly. Unlike other organizations who may just have "guidelines" in place, BRSA puts your money where their mouth is. Recently, it distributed $48m worth of fines for institutions who didn't follow their orders during the coronavirus pandemic. We expect to see similar fines carried out for organizations who don’t follow these new hygiene rules; banks cannot afford to be noncompliant on any Regulations, and need a solution in place.
Among other things, there are two overarching secure development measures that companies need to adhere to. The must:
The Regulations go into great detail on exactly how they expect companies to reach these broader goals. Specifically:
All of this can seem quite daunting. But, it doesn't have to be. Fortunately, many of the mandates presented in the BRSA Regulation are easily solved by better understanding your use of known vulnerable open source components. Large and small enterprises alike are already putting DevSecOps principles and practices to work, and using the Sonatype Platform to mitigate their software vulnerability risk.
The Sonatype Platform automatically enforces open source governance and controls risk across every phase of the SDLC. Fueled by Sonatype Intelligence, which includes in-depth security, license, and quality information on more than 100M open source components across dozens of ecosystems, the platform:
Only Sonatype secures your perimeter and every phase of your SDLC, including production, by continuously monitoring for new risk based on your open source policies.
With 90% of most modern applications comprised of open source components, to effectively adhere to the new BRSA rules, organizations must start by understanding their open source use. We had the opportunity to explore this topic in depth, at Innovera's VShield cybersecurity conference over the summer. It was great to talk with financial institutions of all sizes about how they can proactively make changes to get in front of these new rules.
Don't know where to start? We've got you covered. Try our free Sonatype Vulnerability Scanner to see for yourself how easy it is to comply with BRSA's new Regulations.