Turkish Banking Agency Mandates Better Software Supply Chain Hygiene

Today, application attacks and breaches are often the result of easily exploited – and easily rectified – open source vulnerabilities. While we hope companies would self-regulate their cybersecurity hygiene in our software driven world, daily breach headlines indicate that government, associations and third party regulations might be a necessary motivator for action. 

One such entity that has recently decided to take action, through  new standards to protect the Turkish citizenry, is the Banking Regulation and Supervision Agency (BRSA.) The agency introduced Regulations requiring banks to more aggressively protect customer data, payment information and create safer transactions. 

As stated by Mondaq “the Regulation will have significant impact on business operations carried out by (i) banks, (ii) auditing firms, (iii) technology firms offering outsource services to banks, (iv) firms offering open banking products.” And, they aren’t to be taken lightly. Unlike other organizations who may just have “guidelines” in place, BRSA puts your money where their mouth is. Recently, it distributed $48m worth of fines for institutions who didn’t follow their orders during the coronavirus pandemic. We expect to see similar fines carried out for organizations who don’t follow these new hygiene rules;  banks cannot afford to be noncompliant on any Regulations, and need a solution in place.

So, if you’re a financial institution operating in Turkey, what do you need to know?

Among other things, there are two overarching secure development measures that companies need to adhere to. The must: 

  • ensure that related software or mobile applications do not contain any code that could compromise customer security”
  • And, “provide necessary patches and updates to the customer usage to address security flaws.”

The Regulations go into great detail on exactly how they expect companies to reach these broader goals. Specifically: 

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Alejandro Gamboa. Read the original post at: