The senior information security executive at JPMorgan Chase is urging the software industry to prioritize secure development practices over speed to market, warning that increasing supply-chain disruptions are weakening the global economic system.
Patrick Opet, global CISO at JPMorgan Chase, warned in an open letter Friday that global companies are dependent on interconnected technologies and warned that software needs to be secure by default.
Opet said that because global companies are increasingly reliant on a small number of software-as-a-service providers, a hack or other disruption can disrupt critical infrastructure providers around the world.
JPMorgan Chase officials have seen the warning signs up close, Opet said.
“Over the past three years, our third-party providers experienced a number of incidents within their environments,” Opet wrote. “These incidents across our supply chain required us to act swiftly and decisively, including isolating certain compromised providers and dedicating substantial resources to threat mitigation.”
JPMorgan Chase in 2024 disclosed a third-party software issue that impacted more than 451,800 people, according to a filing with the Maine attorney general’s office. The flaw allowed three employees to see certain records of retirement plan participants.
The bank faced trading disruptions because of the July 2024 international IT outage created by a faulty CrowdStrike software upgrade, according to Bloomberg. The outage caused 8.5 million Windows devices to fail, leading to widespread disruptions across the airline industry, health care, financial services and other critical industries.
Modern identity protocols like OAuth create direct connections between third-party services and sensitive internal resources at companies, making it easier for attackers to gain access to confidential data or internal communications, Opet noted in the letter.
Threat actors are increasingly targeting third-party technology providers as a method of gaining access to sensitive documents and disrupting systems. Opet cited a March blog post about efforts by the China-linked espionage group Silk Typhoon to abuse remote-access tools and cloud applications to gain initial access to target networks.
Opet wrote the letter on the eve of the annual RSA Conference in San Francisco, where more than 45,000 members of the cybersecurity industry are scheduled to discuss pressing issues like software security.
Opet said he wanted to see improved security standards and more transparency in how suppliers use privileged access. He also said technologies like confidential computing could reduce risks when suppliers use sensitive information.
“We’re looking for the software industry to recognize the criticality of risks today and collectively work together on a number of fronts,” Opet told Cybersecurity Dive.
Opet’s letter echoes a recent call from former Cybersecurity and Infrastructure Security Agency director Jen Easterly for the software industry to embrace secure-by-design principles.
Software security leaders welcomed the letter, although some argued for even tougher measures, including potential legal liability.
“The software supply chain is uniquely vulnerable as no one party builds the entire software up and downstream, creating opportunities for bad actors to exploit,” Brian Fox, co-founder and CTO at Sonatype, told Cybersecurity Dive via email.
