Blogs
Published on
January 9, 2023

MAS Technology Risk Management Guidelines – What They Mean and How to Get Started

5
min read
MAS Technology Risk Management Guidelines – What They Mean and How to Get Started

Summary of MAS Technology Risk Management (TRM) Guidelines

On 18th January 2021, MAS updated its cyber-risks guidelines in light of recent cyber-security incidents including the infamous SolarWinds breach. The enhanced guidelines detail best practices for managing technology risk by establishing a framework for technology risk governance and cyber resilience.

The framework encompasses risk identification, assessment and treatment, as well as monitoring, review and reporting to effectively manage vulnerabilities. At the same time, security-by-design should be incorporated into the application development cycle to ensure vulnerabilities are being identified and fixed early.

A key part of the TRM details the need for secure coding and application security testing. FIs can no longer pass on cyber-security liabilities to their vendors and need to establish a procedure and policy in place when using open-source software codes, and to keep track of reported vulnerabilities. The issue regarding open-source application code governance was also raised in the MAS advisory released on 14th November 2020. Given that the average application today is built on top of 250+ open-source components, not mitigating the risks associated with them can be catastrophic.

Background

The SolarWinds breach in December 2020 highlights the urgency and importance of securing the software supply chain. The affected application, Orion, is used by over 33,000 customers to manage their IT resources. Hackers breached Orion to install backdoors which were used to obtain information on the customer’s IT systems, which then enabled the installation of additional malware and spyware.

When it comes to breaches arising due to insecure software supply chain, SolarWinds is not alone. Other notable data breaches due to insecure software supply chains include the Equifax breach, which exposed a third of all Americans’ credit information and resulted in a 700M USD settlement, as well as the Panama Papers, which exposed more than 11.5 million documents of financial and legal records.

How Do I Secure My Software Supply Chain

To begin securing your software supply chain, you need to first understand the third-party software and open-source libraries in your systems and applications. Traditionally, we have been checking for vulnerabilities in the code we write but not so for security and legal issues on code that we depend on from third parties and open-source channels.

Up to 90% of codes used in applications are open source and imported by developers, which also means if they are not using a Software Composition Analysis (SCA) tool, up to 90% of the software supply chain is left vulnerable for exploitation. Using Scantist’s SCA, you can easily identify the open-source libraries and third-party software and their associated vulnerabilities. Scantist’s SCA also provides your team with smart, context-aware remediations and patches to remove and remediate these vulnerabilities.

Scantist proactively alerts your team of newly disclosed vulnerabilities. Over 500 new vulnerabilities are disclosed on the National Vulnerability Database in a week alone and you need to stay on top of those to stay secure. Scantist SCA does this for you by monitoring 33 million open-source and third-party artefacts round the clock, immediately alerting your organisation when there is a threat that needs attention.

Related Blogs

Find out how we’ve helped organisations like you

An Empirical Study of Malicious Code In PyPI Ecosystem

How can we better identify and neutralize malicious packages in the PyPI ecosystem to safeguard our open-source software?

The RoguePuppet Lesson: Why Software Supply Chain Security Is Non-Negotiable

A critical software supply chain vulnerability was recently averted when security researcher Adnan Khan uncovered a severe flaw in the GitHub repository Puppet Forge in early July 2024. Dubbed RoguePuppet, this vulnerability would have allowed any GitHub user to push official modules to the repository of Puppet, a widely-used open-source configuration management tool.

Driving Security: The Critical Role of Binary Analysis in Automotive Cybersecurity

In the rapidly evolving automotive industry, cybersecurity has become a paramount concern. With the increasing connectivity and complexity of modern vehicles, manufacturers face unprecedented challenges in ensuring the safety and security of their products. The introduction of regulations like UN R155 and R156 has further emphasized the need for robust cybersecurity measures throughout the vehicle lifecycle.