Mapping Guidelines to Real-World Security Challenges
Dr.Dittin Andrews,
Scientist E(Cyber Security),
Centre For Development of Advanced
Computing(C-DAC),
Thiruvananathapuram
11 December, 2024: Indian Computer Emergency Response Team (CERT-In), country’s nodal agency for Cyber security has
issued directives emphasizing the importance of Software Bill of Materials (SBOM) in enhancing
software supply chain transparency and security. These guidelines are designed to enhance software
security by providing a comprehensive inventory of all components, dependencies, and libraries used in
software application. With the rapid digital transformation in India, the fintech industry has grown in an
exponential manner, becoming the foundation of the economy. This growth, has increased the
cybersecurity risks associated with software dependencies and third-party integrations. Fintech
companies, which often handle sensitive customer information and perform critical financial transactions,
shall ensure that their IT infrastructure systems remain resilient against cyber threats. SBOM is
fundamentally a detailed list of components within a software product, their versions and origin,
providing crucial insights into potential security risks. The article explores how CERT-In’s SBOM
guidelines (https://www.cert-in.org.in/PDF/SBOM_Guidelines.pdf) apply to the fintech sector and present
practical use cases for implementing the recommendations within the industry to ensure secure and
resilient digital financial services in the country.
Leveraging CERT-In's SBOM Guidelines for Secure Fintech Operations in India: Key Use Cases
India's fintech landscape is undergoing rapid digital transformation and cybersecurity risks associated
with software dependencies and third-party services are getting escalated. To address the cyber security
challenges, CERT-In's Software Bill of Materials (SBOM) guidelines offer a comprehensive framework
for fintech companies for managing and mitigating risks. SBOMs document all software components
including open-source, third-party, and proprietary elements enabling enhanced transparency and faster
identification of security vulnerabilities. The framework supports proactive vulnerability management,
supply chain security, and regulatory compliance, aligning with the requirements set forth by Indian
fintech regulators including Reserve Bank of India (RBI), the Insurance Regulatory and Development
Authority (IRDA), the Securities and Exchange Board of India (SEBI), and the Insolvency and
Bankruptcy Board of India (IBBI) to protect sensitive financial data across complex software ecosystems.
SBOMs provide valuable information for secure software development practices, supporting developers
in making decisions to enhance security from the beginning. CERT-In's SBOM guidelines are particularly
valuable in managing third-party risk, as they allow companies to closely examine dependencies within
their applications and integrations. Fintech firms, which often rely on external services like payment
gateways and analytics, can leverage SBOMs to verify the security posture of each component and
identify risks from external code. Additionally, the guidelines streamline audit processes by providing
clear records that demonstrate compliance with cybersecurity regulations. In instances of cyber incidents,
fintech firms can use SBOM data to locate vulnerable software elements quickly, allowing for efficient
and targeted responses.
Additionally, SBOMs facilitate risk assessment during mergers and acquisitions by enabling fintech
companies to evaluate the software environments of acquisition targets. With a well-maintained SBOM,
fintech firms can assess the condition of software components, identify high-risk dependencies, and
implement necessary security measures post-acquisition. By providing a structured record of software
components, SBOM aids organizations in fintech for showcasing adherence to the regulatory standards,
simplifying audits, and reducing the risk of non-compliance penalties. This proactive stance enhances
resilience against cyber threats and fosters a secure, trusted environment of digital financial services in
the country and building trust with the customers.
SBOM Implementation Strategies for Enhanced Security in Indian Fintech
Implementing a Software Bill of Materials is essential for Indian fintech organizations for improving
cybersecurity and regulatory compliance, especially following CERT-In’s guidelines.
Cataloguing and Risk Categorization of Software Components: For a streamlined approach to SBOM
management, cataloguing of all software element including open-source, third-party, and proprietary is
essential. The inventory prepared shall ensure enable thorough visibility and support security teams to
track dependencies accurately. Categorising these components by risk level based on factors including but
not limited to the sensitivity and history of vulnerabilities, focusing proactive monitoring efforts on high-
risk items. The dual approach aids in an early identification of critical vulnerabilities, enhancing the
overall security of fintech operations.
Monitor and Track Component Vulnerabilities: To effectively monitor and track component
vulnerabilities aligned with CERT-In’s guidelines for Indian fintech, organizations should establish a
robust tracking process that facilitates the timely detection of security vulnerabilities. This involves
implementing regular updates for patches and integrating threat intelligence platforms, CERT-In
vulnerability notes and vendor-specific advisories to ensure that software environment remains resilient
against emerging threats. By proactively identifying vulnerabilities before getting escalated, fintech
companies can mitigate risks that could compromise sensitive financial data. This vigilant approach
enhances overall security posture and safeguard operations in a dynamic threat landscape.
Establish Vulnerability Management Process: In the context of CERT-In's SBOM guidelines for Indian
fintech, establishing a robust vulnerability management process should integrate vulnerability tracking
and analysis through the use of tools like the Vulnerability Exchange Document (VEX) and the Common
Security Advisory Framework (CSAF). VEX facilitates standardized sharing of vulnerability information,
enabling organizations to quickly access relevant data regarding known vulnerabilities. CSAF provides a
structured approach for detailing security advisories, enhancing communication around risks and
remediation. The frameworks support in proactively identifying and mitigating vulnerabilities, and
strengthening cybersecurity posture.
Training and Awareness: Conducting training sessions on SBOM practices is essential to gradually impart
the value of SBOM in vulnerability management and risk assessment. Training and awareness shall cover
how SBOMs can enhance software visibility and reduce risks associated with software supply chains. By
emphasizing the integration of SBOM processes into workflows, Indian Fintech organizations can foster a
security-focused culture promoting proactive vulnerability tracking. Approach ensures that all
stakeholders understand and support SBOM implementation, strengthening the organization’s overall
cybersecurity resilience.
Automation Support: To effectively manage the complexities of SBOM implementation in fintech,
automation support is essential.By leveraging automated tools and processes, organizations can
continuously update their SBOMs, ensuring accuracy and maintaining up-to-date latest software
components and vulnerabilities. Automation also helps to streamline the SBOM creation process,
reducing the manual effort required and minimizing the risk factor through human error. In addition,
automated SBOM updates facilitate real-time vulnerability tracking and compliance monitoring, enabling
organizations to have fast response to emerging threats and maintain a robust security posture.
Key challenges and Solutions
Implementing an SBOM faces unique challenges. A key hurdle is the complexity of managing diverse
software components from multiple vendors, especially with the common practice of using open-source
and third-party tools. Organizations can address this challenge by automating SBOM processes, using
specialized tools to track, update, and monitor components. Limited resources and expertise can also
hinder the implementation, which can be mitigated by partnering with cybersecurity experts or
consultants to bolster internal knowledge and skills.
Fintech organizations must ensure compliance with evolving regulatory requirements, which can be
challenging as standards are getting changed over a time period. By conducting regular reviews and
updates of SBOM procedures, organizations can stay aligned with current regulations. Different
organizations may use various formats and standards for SBOMs, which makes the integration process
and compare information across the supply chain. Organizations shall adopt standardized formats for
SBOMs, such as SPDX or OWASP CycloneDX, to ensure consistency and interoperability.
Conclusions
The CERT-In SBOM guidelines are essential for enhancing the cybersecurity posture of India's fintech
industry, which handles sensitive customer information and critical financial transactions. These
guidelines provide a comprehensive framework for managing software components, improving
transparency, and mitigating risks associated with software supply chains. Implementing SBOM helps
fintech companies manage and mitigate cybersecurity risks by providing detailed insights into software
components and potential vulnerabilities. The proactive use of SBOMs supports efficient vulnerability
management and rapid incident response, fostering a secure and trusted environment for digital financial
services in India.
About the Author:
Dr.Dittin Andrews is associated with Centre For Development of Advanced Computing (C-DAC)
Thiruvananthapuram under the Ministry of Electronics and IT Govt. of India. Currently designated as
Scientist E in Cyber Security, responsible for leading Cyber Security Consultancy Services and
Compliance Audit as per CERT-In, UIDAI, CCA, RBI , IBBI, SEBI, IRDA and TRAI guidelines.
