Insurance tech companies and their security leaders have ample motivation to implement software supply chain security best practices. In this post, we will dive into how insurance providers are leading the way in securing their software supply chain.
Increasing software supply chain attacks have pushed supply chain security at the top of the priority lists for Application Security leaders in every organization. Organizations that develop software as their core product, operate within a regulated industry, or are responsible for sensitive data are particularly focused on implementing effective software supply chain security measures. Insurance Tech companies sit at the intersection of all three of these driving factors.
Insurance companies rely heavily on developing innovative solutions for their customers to gain a competitive advantage. To sustain innovation, development velocity must be maintained making it critical that security tools integrate seamlessly with the development process. By prioritizing efficient software supply chain security tooling, insurance companies can ensure that secure coding practices, continuous security testing, and vulnerability management are integrated into every stage of the SDLC without putting innovation in jeopardy.
The insurance industry operates within a complex regulatory environment, with stringent requirements imposed by various regulatory bodies, such as the National Association of Insurance Commissioners (NAIC), Sarbanes-Oxley (SOX), System and Organization Controls 2 (SOC 2), ISO 27001, and the National Institute of Standards and Technology (NIST) guidelines.
This heavily regulated industry necessitates a thoughtful approach to compliance in order to avoid significant fines, reputational damage, and loss of consumer trust. In contrast, blind adherence could cause overwhelming friction for a security team and the organization more broadly. Prioritizing application security tooling that is optimized for both achieving key compliance wins while avoiding undue operational burden helps insurance companies establish leadership in the application security space.
Insurance companies handle a vast amount of critical and sensitive data, including personal, financial, and health information of their customers. The protection of this data is paramount, as any unauthorized access, modification, or loss can have severe consequences for both the customers and the insurance companies themselves. Specifically, exposure of PII or PHI under HIPPA comes with a fee of up to $2M.
By focusing on effective software supply chain security, insurance companies can implement robust security measures that safeguard sensitive data. This includes data encryption, secure storage, access controls, and continuous monitoring for potential threats. Ensuring the security of sensitive data is not only a regulatory requirement but also a vital factor in maintaining customer trust and the overall reputation of the company.
To address the unique challenges faced across the insurance space, security leaders leverage a multi-faceted approach to application security.
Security leaders leverage a modern toolset to eliminate the introduction of net-new critical risks (ex: hardcoded secrets, unpatched libraries). There are several key functions within the modern application security toolset that make this possible:
“Stopping the bleed” has a critical secondary impact: teams can pragmatically tackle their (often) stale and bloated security backlogs!
Software supply chain security tooling too often generates a mountain of alerts spanning from potential secrets to permissions alerts in test environments. In regulated sectors like Insurance, it is critical to implement a method amidst the alert madness to a) prioritize the most critical risks and b) mitigate critical risks quickly. Such a method is only made possible through the ability to identify the foundational context of a risk.
To prioritize risks, security teams must be able to understand (and, often, easily communicate) key context like:
Similarly, provided context of a risk makes addressing the risks dramatically easier and more efficient.
When security is able to communicate clear prioritization, it creates a more collaborative relationship with the engineering teams that are often leaned on to address the risks. And when the right engineering teams are provided with all of the context needed to easily address the risk in question, it bolsters that collaboration even further, resulting in a far more effective developer-security relationship.
Insurance companies are responsible for taking into account several industry specific compliance obligations from the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICP) to the Federal Information Security Modernization Act (FISMA). On top of industry specific guidelines, if the Insurance company is publicly traded, they are subject to the controls listed under Sarbanes Oxley (SOX) regarding least privilege and access to critical infrastructure. And we haven’t even talked about the Cybersecurity Framework guidelines from the National Institute of Standards and Technology (NIST) or the software supply chain security guidelines from the NSA.
Clearly, there are a lot of hoops to jump through. So many so, that anyone who attempted to follow each guideline to a T would likely grind their business to a halt from compliance induced friction. Rather, the most successful Application Security leaders are using these compliance frameworks in aggregate as guidance for building a comprehensive, proactive approach to software supply chain security. Thematically this looks like:
A tangible example can be found in secret scanning. Having a secret scanner would check most compliance boxes to be able to detect secrets. But the leaders in this space are using tools that can surface the most critical secrets, based on rich context, and provide one-click or automated fixes to ensure no new hardcoded secrets. While this approach goes well beyond “having a secret scanner” it is an approach that makes a tangible, positive impact to application security risk.
Implementing security in the software supply chain is crucial for ensuring the security and reliability of applications in regulated industries like insurance. By taking an approach that prioritizes non-disruptive measures to detect & mitigate early, eliminate hardcoded secrets, manage dependency risk, and adhere to compliance requirements, Insurance companies are leading the way on implementing effective software supply chain security.
For more on how Arnica can help you do the same, schedule a call with the Arnica team here: