South Korea's Financial Security Institute said on Monday it held a software supply chain security seminar for the financial sector on Jan. 30 at the Financial Investment Association's Bulls Hall in Yeouido, with security officials from financial companies attending. It said it will begin full operation of a software supply chain security platform for the financial sector in February.

The platform provides integrated vulnerability management for the financial sector, an SBOM management framework and functions to improve the efficiency of bug bounty operations. It aims to secure security visibility to identify threats across the software supply chain in real time and to create an environment for proactive responses.

The integrated vulnerability management function supports the entire process for key software vulnerabilities, from developing security patches to applying them, through a one-stop service. It is expected to minimise patch gaps by rapidly sharing vulnerability information in a controlled way through the platform.

The SBOM management framework establishes an SBOM management system for software that financial companies use or distribute to financial consumers. It supports rapid analysis of and response to the impact on the financial sector when new vulnerabilities are discovered. An SBOM is information that records all components that make up software, their suppliers and dependencies among components, and is described as material like the DNA of software.

Through bug bounty operations, the platform is expected to contribute to identifying zero-day vulnerabilities in financial sector software, minimising security blind spots and promoting a culture of finding vulnerabilities by paying rewards to those who report vulnerabilities. A zero-day vulnerability refers to a security flaw in software that attackers can exploit before the developer becomes aware of it, or before a patch or solution is in place even if the developer is aware of it.

Park Sang-won (박상원), head of the Financial Security Institute, said the platform would allow financial companies to grasp at a glance the status of vulnerabilities in their software and the scope of impact, and to set response priorities rationally, thereby strengthening the efficiency and effectiveness of vulnerability management. He added it would continue to upgrade the platform so that financial authorities can also comprehensively understand the overall status of supply chain security in the financial sector and use it for policymaking.