This year at FINOS I am going to be focusing on one of FINOS' key existing projects: Open Source Readiness. This is FINOS' term for helping the finance industry "do open source properly".
Currently, for every firm involved in open source (whether using it or contributing to it) there's a different approach. What I want to get to this year is figuring out the best practices and making sure that they're published and available for everyone to use.
I don't claim to be the expert on this - but luckily through FINOS' members and sister foundations I know lots of people who are. In particular, I’m hoping that the FINOS Open Source Readiness Special Interest Group is going to help with this journey and provide leadership for this effort. This will involve training courses, articles, workshops and much more. As we mold this into shape, I'm going to try and blog about it to say how it's going. I hope that'll be interesting!
One thing our industry has asked for is the ability to measure themselves on open source. That is, are they doing open source properly? Are they following the right procedures? How do they compare to their competitors?
At the moment, it's hard to say. Foundations like the TODO group and the OSPO Alliance have come together to define maturity levels for open source organizations which should allow them to benchmark against their peers. There is precedent for this - a good example being CMMI maturity levels around organizational processes.
To get to the higher maturity levels, you’ll need to be following industry best practices: how do you consume open source software securely? Are you giving your staff the right training? What controls are in place when people contribute to open source? Do you have processes in place to handle vulnerabilities (like the famous Log4Shell exploit)?
At the moment, none of these things line up - it's hard to say what the best practices are. It's hard to say which ones you should achieve to meet a certain maturity level. I certainly don't know the answer.
Eventually, I hope we can get to the point where we have materials written and curated by experts that we can point towards to say what the best practices are and how they relate to the organizational maturity around open source. An industry body of knowledge, if you will.
Interested in this FINOS open source project, or any of our other projects? Click the link below to see how to get involved in the FINOS Community.