Cyberattacks, supply-chain issues, flooding, tsunamis, wildfires, equipment failures and even war: The financial sector has no choice but to keep operations running through all these — among other — types of disruptions, challenges and incidents.
The crucial need to maintain operational resilience has lit a spark under regulatory authorities, which are increasingly emphasizing the imperative of preparedness for unexpected events. One prime example: the European Union’s Digital Operational Resilience Act (DORA), which establishes a comprehensive framework for financial organizations to identify, prevent, mitigate and recuperate from incidents so as to maintain critical functions, deliver essential services and meet their obligations to customers, stakeholders and regulators, despite adverse circumstances that affect information and communication technology (ICT) attacks.
To read more about how Contrast supports DORA, download our solution brief.
What is DORA?
The Council of the EU comprises government ministers from each EU country who are authorized to create and amend laws and coordinate policies. In November 2022, the council adopted DORA with the goal of providing consistent IT security standards for financial institutions (banks, insurance companies and investment firms) across all EU member states so as to keep the EU financial sector resilient against cyber threats and operational disruption.
In December 2022, DORA was published as Regulation (EU) 2022/2554 in the Official Journal of the European Union. The Act — which is a binding regulation for all EU members, as opposed to being simply a directive — went into effect on January 16, 2023.
How Contrast Addresses DORA Requirements
Article 25 of the legislation from the Official Journal of the European Union, details the essential elements for testing of ICT tools and systems. Securing custom applications and APIs — including third-party libraries used by EU financial services firms — is key in meeting this new regulation. Contrast Security supports DORA Article 25 with the Contrast Secure Code Platform in the following ways:
25.1 - The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
Contrast supports the DORA testing requirements of §25(1) for vulnerability assessments and scans, open-source analysis, scanning software solutions, source-code reviews, end-to-end testing, and penetration testing. Contrast automates the process of performing these assessments, providing highly accurate results in real time as a part of the normal development process.
25.2 - Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
Contrast’s speed and natural pipeline integration makes it uniquely capable of meeting the requirements of §25(2) for performing vulnerability assessments of new or existing applications and APIs, components and ICT during every deployment or redeployment. Contrast automatically performs vulnerability analysis during normal manual and automated QA tests, so that no extra security activities are required.
25.3 - Microenterprises shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.
Contrast’s unlimited scalability, real-time analysis and high accuracy delivers the capability to achieve an unmatched balance of scale, speed and effort under §25(3), maximizing software security with a minimum of effort.
Contrast Security can help secure your applications and APIs — a key step toward compliance with DORA Regulation (EU) 2022/2554. Schedule a demo and see how it works.
Time for Runtime Security
We see a future where every stack includes Runtime Security and software development organizations have a healthy Application Security (AppSec) program delivering fast remediation, minimal backlog and high-speed innovation.
Have a listen to this episode of the Application Security Podcast, in which we discussed Runtime Security, including key perspectives on:
- Why DAST is easily replaced by IAST
- Whether it’s time to throw out your web application firewall (WAF)
- Differences in detection and rule technologies between RASP and IAST
- Is Runtime Security your AppSec panacea?
Read more: