A leading global financial institution selected Spectra Assure™ to strengthen their third-party commercial software risk management program and ensure stringent compliance. With Spectra Assure, they now had visibility into the risk and threats of vendor-supplied software packages, such as tampering, embedded malware, and unexplained behavioral changes. The Spectra Assure SAFE Report not only helped identify those issues, but allowed the company to share the report with their vendors to resolve any issues. This helped meet regulatory standards, reduce operational risks, and improve onboarding of new software.
As with many highly regulated companies, the existing software acquisition process was mostly manual, required lots of paperwork, and often took months to obtain approvals before deployment. However, none of these provided any assessment of the risk or threats with commercial software they were looking to purchase. Additionally, to maintain compliance with various industry and government regulations, much of their software is deployed as virtual machines that are too large to scan effectively with traditional tools.
Spectra Assure automates the assessment of commercial software, rapidly deconstructing large, complex software packages and virtual machines before deployment to identify risks and threats in minutes without the need for source code. Spectra Assure summarizes the findings in the form of a SAFE report, which can be securely shared across internal teams and back to software vendors to simplify collaboration on remediation planning. Within weeks of initial testing, several of their software suppliers had addressed significant risks to comply with the bank’s new software risk inspection policies.
While the bank had a robust security team and program, they did not have a proper control for the third-party commercial software they were acquiring and deploying across the organization. Standard questionnaires or even SBOM did not identify risks or threats in their commercial software.
With Spectra Assure, they were now able to run a comprehensive risk and threat analysis of any commercial software they wished to check, which identified any evidence of tampering and malware that are indicative of software supply chain attacks, as well as risk factors such as software components containing known, exploitable flaws, outdated or end-of-life software libraries, exposed developer secrets, or disallowed functional capabilities. Spectra Assure’s easy-to-implement detection policies enabled the bank to minimize their software supply chain risk by identifying these issues or threats before software is circulated among and deployed across their organization to their employees.
To satisfy a corporate-wide mandate for all commercial software and version updates to be inspected for cyber risks before deployment, the team created a phased implementation plan, onboarding one business process function or type of software at a time.
To start, Spectra Assure was integrated into an existing process to onboard and update tools used for internal software development. The security team customized Spectra Assure’s policy controls to align with their risk tolerance for that type of software. The results of Spectra Assure’s scans were integrated with their internal risk management tooling via API.
The insights into security risks in the software development tools were recognized and currently drive the adoption of Spectra Assure into the software onboarding processes across other business groups.