SOFTWARE SUPPLY CHAIN

How insurance tech companies are leading the way on Application Security

Simon Wenet
Head of Growth
May 3, 2023
Simon has spent the last decade in security leading product management & growth teams at various companies focused on DNS security, DLP, and now application security.

TL;DR  

Insurance tech companies and their security leaders have ample motivation to implement software supply chain security best practices. In this post, we will dive into how insurance providers are leading the way in securing their software supply chain.

{{arnica-top-signup-banner="/template-pages/try-arnica-banner"}}

Insurance tech sits at the center of critical application security drivers

Increasing software supply chain attacks have pushed supply chain security at the top of the priority lists for Application Security leaders in every organization. Organizations that develop software as their core product, operate within a regulated industry, or are responsible for sensitive data are particularly focused on implementing effective software supply chain security measures. Insurance Tech companies sit at the intersection of all three of these driving factors.  

Driver #1: Securing development lifecycles without friction

Insurance companies rely heavily on developing innovative solutions for their customers to gain a competitive advantage. To sustain innovation, development velocity must be maintained making it critical that security tools integrate seamlessly with the development process. By prioritizing efficient software supply chain security tooling, insurance companies can ensure that secure coding practices, continuous security testing, and vulnerability management are integrated into every stage of the SDLC without putting innovation in jeopardy.  

Driver# 2: Using regulatory frameworks as security advantage  

The insurance industry operates within a complex regulatory environment, with stringent requirements imposed by various regulatory bodies, such as the National Association of Insurance Commissioners (NAIC), Sarbanes-Oxley (SOX), System and Organization Controls 2 (SOC 2), ISO 27001, and the National Institute of Standards and Technology (NIST) guidelines.

This heavily regulated industry necessitates a thoughtful approach to compliance in order to avoid significant fines, reputational damage, and loss of consumer trust. In contrast, blind adherence could cause overwhelming friction for a security team and the organization more broadly. Prioritizing application security tooling that is optimized for both achieving key compliance wins while avoiding undue operational burden helps insurance companies establish leadership in the application security space.  

Driver #3: Sensitive data concerns  

Insurance companies handle a vast amount of critical and sensitive data, including personal, financial, and health information of their customers. The protection of this data is paramount, as any unauthorized access, modification, or loss can have severe consequences for both the customers and the insurance companies themselves. Specifically, exposure of PII or PHI under HIPPA comes with a fee of up to $2M.  

By focusing on effective software supply chain security, insurance companies can implement robust security measures that safeguard sensitive data. This includes data encryption, secure storage, access controls, and continuous monitoring for potential threats. Ensuring the security of sensitive data is not only a regulatory requirement but also a vital factor in maintaining customer trust and the overall reputation of the company.

Key strategies being used to strengthen application security  

To address the unique challenges faced across the insurance space, security leaders leverage a multi-faceted approach to application security.  

1. Stop the bleed, reduce the backlog

Security leaders leverage a modern toolset to eliminate the introduction of net-new critical risks (ex: hardcoded secrets, unpatched libraries). There are several key functions within the modern application security toolset that make this possible:  

  • Real time risk detection – finds and eliminates risks before they metastasize  
  • Targeted alerting – delivers alerts to the most suited person or team to address a risk quickly rather than stacking it on top of the existing security backlog  
  • Automated mitigation – provides thoughtful solutions in the form of automated policy decisions or one-click mitigations  

“Stopping the bleed” has a critical secondary impact: teams can pragmatically tackle their (often) stale and bloated security backlogs!

2. Have the right context to prioritize & address the risks  

Software supply chain security tooling too often generates a mountain of alerts spanning from potential secrets to permissions alerts in test environments. In regulated sectors like Insurance, it is critical to implement a method amidst the alert madness to a) prioritize the most critical risks and b) mitigate critical risks quickly. Such a method is only made possible through the ability to identify the foundational context of a risk.  

To prioritize risks, security teams must be able to understand (and, often, easily communicate) key context like:  

  • Who introduced the risk?  
  • What is the blast radius of a risk? In the case of secrets in code, for example: who has had access to or even used an exposed secret since it was exposed? Each additional person represents an increased blast radius.  
  • How important is the repository where the risk is exposed? Is it a production branch or a test environment? The answer impacts priority significantly.  

Similarly, provided context of a risk makes addressing the risks dramatically easier and more efficient.  

  • Who introduced the risk? The pusher may often also be best equipped to address the risk most effectively – especially if real-time detection and alerting are being leveraged  
  • Who is the product owner for the risk-exposed repository? The owner may also be well equipped to address a critical risk.  
  • How important is the repository? By understanding the importance of a repository, it is easier for security to make a case to engineering teams to fix the risk as soon as possible and avoid drowning the engineering team in low severity issues.  

When security is able to communicate clear prioritization, it creates a more collaborative relationship with the engineering teams that are often leaned on to address the risks. And when the right engineering teams are provided with all of the context needed to easily address the risk in question, it bolsters that collaboration even further, resulting in a far more effective developer-security relationship.

3. Thoughtful security compliance implementation

Insurance companies are responsible for taking into account several industry specific compliance obligations from the International Association of Insurance Supervisors (IAIS) Insurance Core Principles (ICP) to the Federal Information Security Modernization Act (FISMA). On top of industry specific guidelines, if the Insurance company is publicly traded, they are subject to the controls listed under Sarbanes Oxley (SOX) regarding least privilege and access to critical infrastructure. And we haven’t even talked about the Cybersecurity Framework guidelines from the National Institute of Standards and Technology (NIST) or the software supply chain security guidelines from the NSA.  

Clearly, there are a lot of hoops to jump through. So many so, that anyone who attempted to follow each guideline to a T would likely grind their business to a halt from compliance induced friction. Rather, the most successful Application Security leaders are using these compliance frameworks in aggregate as guidance for building a comprehensive, proactive approach to software supply chain security. Thematically this looks like:  

  • Empowering developers to make a positive security impact and making “doing the right thing” the path of least effort  
  • Implementing automated, scalable solutions across secret scanning, code risk mitigation, anomaly detection, permissions management, and more  
  • Developing a clear methodology for risk prioritization  
  • Effective partnership and security training across Engineering and DevOps teams

A tangible example can be found in secret scanning. Having a secret scanner would check most compliance boxes to be able to detect secrets. But the leaders in this space are using tools that can surface the most critical secrets, based on rich context, and provide one-click or automated fixes to ensure no new hardcoded secrets. While this approach goes well beyond “having a secret scanner” it is an approach that makes a tangible, positive impact to application security risk.  

Summary

Implementing security in the software supply chain is crucial for ensuring the security and reliability of applications in regulated industries like insurance. By taking an approach that prioritizes non-disruptive measures to detect & mitigate early, eliminate hardcoded secrets, manage dependency risk, and adhere to compliance requirements, Insurance companies are leading the way on implementing effective software supply chain security.  

For more on how Arnica can help you do the same, schedule a call with the Arnica team here:

THE LATEST UPDATES

More from our blog

Guide to SCA and SAST: Secure Your Code Efficiently
Guide to SCA and SAST: Secure Your Code Efficiently
October 15, 2024
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
A Complete Guide: Enterprise Managed Users vs Bring Your Own Users on GitHub
March 25, 2024
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
How to Determine the Severity of a Third-Party Risk with Software Composition Analysis (SCA)
December 3, 2024

{{arnica-bottom-signup-banner="/template-pages/try-arnica-banner"}}