A stepping stone towards holistic application risk and compliance management of the Digital Operational Resiliency Act (DORA)

In today's increasingly digital world, where businesses rely heavily on technology for core operations, the European Union's Digital Operational Resilience Act (DORA) establishes a comprehensive framework to manage Information and Communication Technology (ICT) related risks and ensure business continuity for financial institutions and critical service providers. DORA's wide-ranging requirements reflect the increasing reliance on digital technologies in modern organizations, and since applications are the backbone of these operations, strong application security practices become a foundational element for achieving DORA compliance. As cybercriminals target vulnerabilities within applications to disrupt services, DORA compels financial institutions to prioritize the security of their applications, infrastructure, and the service providers they rely on. 

DORA is a paradigm shift, moving beyond reactive security measures towards a proactive approach built on operational resilience. At the heart of this strategy lies application security — the practice of securing applications throughout their lifecycle, from development to deployment and maintenance.

Why applications are prime targets for digital operational disruption

Modern businesses rely heavily on applications to conduct critical operations. These applications act as the digital “heartbeat” of an organization, carrying sensitive data, engaging customers, employees, and partners, while facilitating essential workflows. Consequently, they become prime targets for cybercriminals seeking to exploit vulnerabilities and disrupt operations.

Here's a closer look at the factors that make applications vulnerable:

• Software complexity: Modern applications are intricate ecosystems composed of various components — code, libraries, frameworks, and third-party integrations. This complexity increases the attack surface, creating more opportunities for vulnerabilities to exist.

• Rapid development: The pressure to launch features quickly can lead to security being overlooked during the development cycle. Developers might inadvertently introduce vulnerabilities through coding errors, misconfigurations, or improperly vetted third-party libraries.

• Adoption of AI coding assistants: Recent studies show that over 90% of organizations have some use of AI coding assistants in use within their development teams. Yet, most organizations have very immature policies or controls around their use, creating a major risk for an increase in insecure code.

• Shifting threat landscape: Cybercriminals are constantly evolving their tactics, developing new exploits to target known vulnerabilities. This necessitates a continuous security posture to identify and patch vulnerabilities before they are exploited.

The five pillars of DORA compliance

DORA outlines five key areas that financial institutions and essential service providers must address to achieve compliance and enhance digital operational resilience:

1. ICT risk management: DORA mandates the establishment, maintenance, and regular updates of a robust ICT (information and communication technology) risk management framework. This framework should identify, assess, prioritize, and mitigate ICT-related risks across the organization.

2. Incident reporting: DORA requires the reporting of significant cyber and ICT-related incidents to relevant authorities. This not only helps improve market transparency but also enables authorities to better understand and respond to emerging threats.

3. Digital operational resilience testing: Regular testing of ICT systems, including penetration testing and vulnerability assessments, is crucial for understanding how well an organization can withstand cyberattacks. DORA emphasizes the importance of conducting these tests frequently and incorporating lessons learned to improve overall resilience.

4. Third-party risk management: Financial institutions often rely on third-party service providers for critical operations. DORA mandates the management and monitoring of ICT-related risks posed by these third parties, including cloud computing services and software vendors.

5. Information sharing: DORA encourages the sharing of cyber threat information and intelligence among financial entities. This collaborative approach can significantly improve the overall cybersecurity posture of the financial sector by enabling faster detection and response to emerging threats.

While some of these requirements may seem familiar, such as risk management frameworks, others pose new challenges and necessitate significant efforts from organizations to achieve compliance. The good news is that addressing many of these requirements also aligns with the needs of other financial services oriented regulations.

DORA and the emphasis on application security

In creating the requirements for compliance with DORA, regulators recognized the critical role applications play in digital operations and the inherent risks associated with application vulnerabilities. These requirements establish a broad framework as well as some specific steps for building comprehensive application security practices, ensuring financial institutions and essential service providers maintain a robust application risk management.

Here are some key provisions within DORA that highlight the importance of application security:

• Mandated application security scanning: DORA requires organizations to conduct regular application security scans. This includes identifying vulnerabilities early on, allowing developers to patch them before they reach production where they can be exploited.

• Focus on third-party applications: DORA acknowledges that many organizations rely on third-party applications to conduct business. These applications, along with their dependencies, also need to be assessed for vulnerabilities to minimize the overall attack surface.

• Risk management and prioritization: DORA emphasizes the importance of strong risk management practices. This includes identifying, assessing, and prioritizing vulnerabilities based on their potential impact.

These specific requirements, as well as the broader risk management framework of DORA are where a developer-first security platform like Snyk can play a pivotal role.

How Snyk can help you achieve DORA compliance

Snyk empowers organizations to build and maintain secure applications, aligning perfectly with DORA's emphasis on application security. Here's how Snyk can specifically help you achieve compliance across several key areas outlined in DORA:

ICT risk management:

• Application vulnerability management and remediation: DORA mandates a robust ICT risk management framework, which includes identifying, assessing, and mitigating ICT-related risks. Snyk helps in this area by automatically scanning codebases, dependencies, and containers for vulnerabilities as well as infrastructure as code (IaC) configurations for any misconfigurations that are misaligned to best practices such as CIS benchmarks, cloud providers' Well-Architected Frameworks and others. This proactive identification allows companies to manage these risks before they can be exploited and incorporated into the overall ICT risk management framework. In addition to supporting proactive identification of software vulnerabilities, Snyk is uniquely positioned to facilitate AppSec and Developer collaboration to find, prioritize, and remediate vulnerabilities.

• Software composition analysis (SCA): Snyk's SCA capabilities provide detailed insights into the security posture of an organization's software supply chain, identifying vulnerabilities within open-source libraries and third-party components. This directly addresses the need to assess third-party risk and integrate it into the broader ICT risk management framework. Snyk Open Source not only supports the identification of vulnerable dependencies, but also saves valuable development time by addressing issues as developers code in their IDE or CLI, lessening the operational impact of development of achieving compliance. 

Incident reporting:

• Application security compliance and program reporting: DORA requires reporting of significant cyber incidents. Snyk offers features for generating compliance reports and documentation that can aid in demonstrating compliance with regulatory requirements, including those outlined in DORA. This can simplify the process of incident reporting and auditing, as required by the act. Beyond compliance and incident reporting, the data analytics capabilities of Snyk AppRisk provides AppSec teams a comprehensive overview of their AppSec program at a macro level, facilitating tracking, measurement, and reporting on program performance and risk KPIs.

Digital operational resilience testing:

• Security scanning integration: DORA emphasizes regular testing of ICT systems. Snyk integrates seamlessly with existing security testing tools, providing developers with continuous feedback on vulnerabilities identified during scans. Snyk’s ability to integrate with Continuous Integration/Continuous Deployment (CI/CD) platforms supports resiliency testing early in the software development lifecycle before critical vulnerabilities go into production. This iterative approach to security strengthens the overall resilience of ICT systems.

Third-party risk management:

• Software supply chain security: DORA mandates managing risks posed by third-party service providers. Snyk scans third-party dependencies for vulnerabilities, enabling organizations to identify and address potential weaknesses within their software supply chain. Furthermore, Snyk allows the generation as well as ingestion of software bills of material (SBOMs). This reduces the overall attack surface and minimizes risks associated with third-party vendors.

• Continuous monitoring: Snyk provides continuous monitoring capabilities, allowing organizations to stay updated on vulnerabilities within their dependencies and third-party applications. This proactive approach ensures that potential risks are identified and addressed promptly, enhancing digital operational resilience when faced with newly-discovered zero-day vulnerabilities or when new exploits are found for existing vulnerabilities.

Beyond compliance: Building a culture of security and risk management

While achieving DORA compliance is crucial, it's equally important to foster a culture of application security and risk management within your organization. Snyk goes beyond simply providing tools by offering developer training and resources that promote secure coding practices. This empowers developers to write secure code from the ground up, further reducing the attack surface and strengthening your overall digital operational resilience. This aligns with DORA’s aim to enhance the overall digital operational resilience through improved practices and awareness within financial entities.

DORA’s focus on Risk Management also drives a culture of assessing all threats, including application vulnerabilities, through the lens of security and business risk. Not all vulnerabilities pose an equal threat. Snyk helps prioritize vulnerabilities based on the reachability of the vulnerability, the likelihood of exploit as well as potential impact, allowing organizations to focus their resources on the most critical issues and ensure timely reporting of high-risk vulnerabilities to the relevant authorities. Using Snyk AppRisk, application visibility and discovery, security coverage management, and risk-based prioritization, together empowering security and development teams to collaborate more effectively in managing application risk for their business.

Another element of organizational culture is the commitment level to Secure Software Development Lifecycle (SDLC) and the focus of DevSecOps. This commitment involves the integration of security practices into the DevOps pipeline, ensuring that security checks are conducted at every stage of the software development process. This approach allows for the early detection and remediation of vulnerabilities, reducing the risk of security breaches and enhancing operational resiliency.

DevSecOps is not just about integrating tools and technologies—it's about fostering a culture of security within the organization by promoting collaboration between development, operations, and security teams, and encouraging shared responsibility for security across the organization. By adopting a DevSecOps approach, organizations can ensure that security is a core part of their development practices, rather than an afterthought.

Conclusion

DORA represents a significant step forward in ensuring the resiliency of digital operations of financial institutions and essential service providers. By recognizing the importance of application security, DORA is a step towards a more resilient digital infrastructure as businesses continue to rely more and more on application development as a pillar of innovation. Snyk, with its developer-first security platform, empowers organizations to not only achieve compliance with DORA but also build a culture of security that safeguards their critical applications and operations. It is also important to recognize that taking the right approach to the application security aspects of DORA also lays the foundation for other current and future regulations. Well established regulations or frameworks such as ISO 27001, SOC2 and PCI-DSS all align with the need to assess and manage risk within the SDLC.  

By partnering with Snyk, organizations can embrace DORA's requirements as an aspect of application security program development and broader compliance management, ensuring business continuity and protecting their most valuable assets.