Open Source in Finance Forum London 2024

The EU's Cyber Resilience Act (CRA) proposes stringent cybersecurity requirements for digital products, aiming to bolster security against cyberattacks. While it promises safer hardware and software, it also raises questions for Open Source contributors and organizations. Will they be liable for vulnerabilities in their code? Could this legislation stifle innovation or foster it? The final draft of the CRA removed the burdensome requirements on OSS contributors- a very near land mine for the OSS community. Join me in exploring these questions to understand how the CRA underscores the imperative for open source organizations to advocate for their interests in policymaking.

Join this panel to find out how defining a standard and conformance framework around supply chain security may help enterprises evidence that they are meeting supply chain risk and support vendors with rollout and adoption of security products and services.

Choosing between Open source vs proprietary for enterprise solutions has always been a battle of pros and cons of both the paradigms. Though open source promises to generally boost flexibility, agility and happens to be cost-effective as well, there are increased concerns around the trust worthiness of Open source components. Due to the nature of open source components, the surface area of potential attacks are also relatively high especially when these are employed by financial firms. These become hotspots for attackers to gain access to sensitive data. Thus, the problem statement reduces to a "supply chain" problem. This presentation provides an insight into exploitation methods employed by attackers specifically in the context of Open source components (with specific focus on Supply Chain attack), risk identification and mitigation strategies (Secure SDLC practices with focus on Supply chain security). In order to effectively identify relevant risk(s), it is important to defend the OSS components through out the lifecycle.The presentation also focusses on best practices which includes a novel approach to ensure OSS maturity via a checklist and appropriate control gates.

Discover the OpenSSF Security Insights specification, redefining open-source project security standards and compliance through automation and measurement. This specification provides a concise, machine-readable overview of project security, simplifying both human interpretation and automated processing. The specification helps security engineers and developers to have a project overview, standardizes attestation related to policies and licenses, and makes enables measurable information collection for open-source artifacts. This missing capability is essential for anyone creating software for highly regulated industries. Come explore the value of this open specification and the ecosystem that is quickly growing around it.