Open Source in Finance Forum London 2024

The ease in adopting open source can lead to organizations using software without considering its long-term viability. What happens when a project changes the license, stops making security updates, or has other issues that impact its usage? When a project that is incorporated into your products or services later becomes unviable, it can have negative implications for your users, customers, and reputation. This talk will compare the risks and rewards associated with projects under neutral foundations vs. those controlled by companies and look at how the people leading and contributing to the project influence risk. The presentation will contain details about how to assess project policies, governance, security practices, adoption, and community dynamics that can impact the stability and overall success of a project. Throughout the presentation, there will be discussions about techniques for measurement and which collections of metrics might be appropriate for your evaluations. The audience will walk away with practical advice about how to strategically evaluate the viability of open source projects within their supply chain and assess the risks and rewards for their situation.

The EU's Cyber Resilience Act (CRA) proposes stringent cybersecurity requirements for digital products, aiming to bolster security against cyberattacks. While it promises safer hardware and software, it also raises questions for Open Source contributors and organizations. Will they be liable for vulnerabilities in their code? Could this legislation stifle innovation or foster it? The final draft of the CRA removed the burdensome requirements on OSS contributors- a very near land mine for the OSS community. Join me in exploring these questions to understand how the CRA underscores the imperative for open source organizations to advocate for their interests in policymaking.

Join this panel to find out how defining a standard and conformance framework around supply chain security may help enterprises evidence that they are meeting supply chain risk and support vendors with rollout and adoption of security products and services.

This talk highlights the latest regulatory requirements for OSS management in the financial sector, emphasises the importance of implementation and introduces guidelines, with a focus on ISO 18974. Security incidents over the past years have shown the consequences of vulnerabilities within the OSS ecosystem and painfully exposed that many organisations are still not adequately managing the security of OSS. In this regard, financial institutions are exposed to a high risk, as they are not only part of the critical infrastructure but also of a complex supply chain within the interbank market. Regulators react to the increasing cyber security risks, e.g. by the "US Executive Order on Improving the Nation's Cybersecurity" and EU "Cyber Resilience Act (CRA)" and the "Digital Operational Resilience Act (DORA)". Organisations are now facing the challenge to implement measures for OSS security management to mitigate those risks, but also to fulfil legal requirements, avoid penalties and meet their customers' demands for transparency. ISO 18974 provides valuable guidance on the measures to be taken and thereby increase security within the software supply chain.

The Compliance Framework is an open source project Container Solutions has started that seeks to both automate and improve real-time visibility of an organisation's audit and compliance position. Building on open standards such as OSCAL and Common Cloud Controls (CCC), we seek to leverage the help of the community to: - Reduce the toil of regular control audits - Enable compliance teams with real-time reporting and alerting on compliance status - Get organisations ready for DORA This project was borne out of frustration with the amount of unnecessary and repeated manual work still performed in controls and compliance audit, and the piecemeal and self-serving approaches of the many proprietary tools emerging in this space. It seeks to build on the open approaches of OSCAL and CCC standards out into practical implementation. This talk introduces the work completed so far, the architectural roadmap, and the people already involved. The longer term goal is to donate this work to the community, as Container Solutions has done with the Kubernetes Java SDK, and the External Secrets Operator. To this end this talk seeks to recruit others at FINOS and elsewhere to the cause.

Choosing between Open source vs proprietary for enterprise solutions has always been a battle of pros and cons of both the paradigms. Though open source promises to generally boost flexibility, agility and happens to be cost-effective as well, there are increased concerns around the trust worthiness of Open source components. Due to the nature of open source components, the surface area of potential attacks are also relatively high especially when these are employed by financial firms. These become hotspots for attackers to gain access to sensitive data. Thus, the problem statement reduces to a "supply chain" problem. This presentation provides an insight into exploitation methods employed by attackers specifically in the context of Open source components (with specific focus on Supply Chain attack), risk identification and mitigation strategies (Secure SDLC practices with focus on Supply chain security). In order to effectively identify relevant risk(s), it is important to defend the OSS components through out the lifecycle.The presentation also focusses on best practices which includes a novel approach to ensure OSS maturity via a checklist and appropriate control gates.

Discover the OpenSSF Security Insights specification, redefining open-source project security standards and compliance through automation and measurement. This specification provides a concise, machine-readable overview of project security, simplifying both human interpretation and automated processing. The specification helps security engineers and developers to have a project overview, standardizes attestation related to policies and licenses, and makes enables measurable information collection for open-source artifacts. This missing capability is essential for anyone creating software for highly regulated industries. Come explore the value of this open specification and the ecosystem that is quickly growing around it.

Automating Architecture Approval Processes with the Common Architecture Language Model The balance between rapid software development and maintaining high security and compliance standards is a critical challenge for financial institutions. The Common Architecture Language Model (CALM) offers a novel solution, embodying the principles of Architecture as Code (AasC) to automate architecture approvals. This presentation will delve into how CALM can drastically reduce approval times while ensuring strict adherence to security policies and risk management protocols. Attendees will explore the functionalities of CALM, its application in automating API approvals, and the significant benefits for system architecture design and maintenance. Presentation Highlights * CALM and the Shift to Architecture as Code * Automating API Gateway Approvals with CALM * A closer look at CALM's JSON Meta Schema and associated vocabulary. * The Advantages of Automation * How the architecture and developer community can contribute to and leverage CALM for future projects.

CXOs face significant and growing challenges in this space - privacy laws, enhanced security regulations, heightened scrutiny from regulators, operational resiliency requirements such as DORA, Cloud data migration initiatives and data for AI use cases Add to this the relentless barrage of data leaks and cyber attacks with new threat actor groups and coordinated attacks. UK FS firms reported a 3X increase in breaches to the ICO in 2023 than 2022; 80% of banks struggle with data protection and privacy; 60% of the banks reported serious operational failures in 2023 alone Firms have responded with large investment programmes and creation of CISO departments. However, our work with several FS firms to implement InfoSec requirements for ISO 27001, DORA, Cloud, Entitlements and Data Access Controls has highlighted significant opportunity to be efficient and strategic about this.   The average investment is £10-30m and changes needed at multiple levels i.e. infrastructure, technical, data, process & education. We share what an optimised approach looks like: Application Authorisation; Asset Master; Policy Master; Data Access Control; Entitlements Service; Third Party; Reporting