The business impact of critical open source vulnerabilities such as Spring4Shell and Log4j illustrate the crucial importance of detecting remediating such vulnerabilities as fast as possible, This is particularly important for the financial technology, which handles vast volumes of sensitive financial data for investors. That was certainly the case for MSCI, who deployed Mend to speedily thwart any potential threats posed by Spring4Shell. The partnership exemplifies how to successfully tackle such threats.
MSCI is a leading provider of critical decision support tools and services for the global investment community. In particular, it provides analytics and governance to institutional investors and hedge funds. The company applies its expertise in research, data, and technology to power better investment decisions, by enabling clients to understand and analyze key drivers of risk and return and confidently build more effective portfolios.
Almost half of the company’s four thousand employees are involved with either software development or IT operations. Its cybersecurity team numbers sixty people, including three dedicated to application security.
In 2020, the company decided to adopt modern DevOps methodologies across all its business units. Its aim was to improve the speed of application delivery, quality, and reliability.
As part of the process, the security team standardized its open source software security on Mend SCA. The implementation and deployment of Mend formed an important part of a fresh application security philosophy established by the company’s executive director of cybersecurity. He built this philosophy on three main pillars: people, process, and technology:
People: It’s essential to understand the workflow of developers and give them the tools and the information to do their jobs seamlessly. Processes and tools must meet their needs and make their working lives easier so that security is reinforced but not at the expense of their productivity.
Process: To this end, it’s essential that vulnerability detection, communication, and remediation happen rapidly, at DevOps speed. That’s why Mend SCA has been integrated with the company’s Jira ticketing system. For the few development teams that don’t use Jira, Mend was set up to deliver a daily email report. In both cases, the necessary people now had a reliable and speedy early warning system in place.
Technology: As speed is critical to the success of the security process, automation is used to trigger real-time testing with Mend SCA and Mend Renovate. This makes the process as smooth and as fast as possible. In fact, Mend is integrated in a way that’s designed to make it as invisible as possible.
Within two years, Mend SCA and Mend Renovate were deployed across thousands of software projects spanning hundreds of repositories. By the time Spring4Shell hit, MSCI was primed to handle a threat of this severity and scale.
Spring4Shell (CVE-2022-22965) emerged as a zero-day vulnerability on March 31, 2022. Having learned the lessons from Log4j, and with Mend in place, MSCI was ready to thwart the threat immediately.
As soon as the vulnerability was announced, Mend SCA sent alerts via Jira or email to all the company’s software developers whose projects were impacted. Many of the developers relied on Mend Renovate to automate pull requests to fix their vulnerable dependencies.
Using Mend, and with the automation that had been designed for the company’s processes, the developers were able to detect Spring4Shell, remediate the vulnerability, and secure its software in a matter of hours. Normal service was re-established rapidly and after that, it was just a normal working day.
“For us, March 31 was not an emergency. We had refined our zero-day processes just three months before, thanks to the Log4j drill,” said MSCI’s executive director of cybersecurity. “So, everyone knew what to do. We had situational awareness within just a few hours. That was key! We knew which applications were priorities to address. Our IT staff applied mitigations to all the applications that needed them, and our developers were already working on applying the fixes.”
This is an object lesson for the Fintech sector in the benefits of applying a thorough application security philosophy and an advanced AppSec solution to minimize the risks from severe vulnerabilities.
Financial technology lives and dies by being fast, accurate, and completely dependable. That’s why it’s vital to deploy an application security solution that’s extremely responsive and can rapidly remediate even zero-day vulnerabilities like Spring4Shell. Your solution of choice needs to achieve this in a way that works seamlessly with your developers’ working cadence, so that they will enthusiastically adopt these tools and use them within their workflow to strengthen security, while maintaining their productivity.