The FINOS 2022 State of Open Source in Financial Services (OSinFSI) Report sheds light on the precarious security challenges in the financial services sector and the crucial role open source software plays in mitigating these risks. Though many business leaders may be unaware of the proper management of open source software, this article aims to provide high-level insights for secure consumption and contribution to open source.
According to the report, security is a major concern for the industry and open source software plays a critical role in improving it. However, many business leaders in financial services organizations may not be aware of how to manage open source software to ensure and enforce security within their organizations. To bridge this gap and help financial services executives understand the potential benefits and risks of open source software, this article will explore some high-level "how-tos" and considerations for consuming and contributing to open source in a security-conscious manner.
The OSinFSI report reveals that a majority of the survey participants, 77%, believe that contributing to open source software fortifies the security of the projects they're involved in. Also, the report accentuates the industry's substantial consumption of open source and the need for firms to implement policies and processes for both consumption and contribution to secure their operations. The report highlights that the financial sector's limitations may pose a problem in the future and calls for increased engagement with open source software.
In light of these considerations and limitations, it is important for financial services executives to also consider the following "how-tos" in order to enhance security and resilience in times of economic uncertainty. Note, this is not an exhaustive list, but should point you in the right directions to get started, or plug some holes in your current plans:
1 - Investigate your organization's utilization of open source solutions:
The initial phase for any financial services executive should be to examine their organization's open source software utilization. This entails recognizing the open source tools and frameworks currently in use, as well as comprehending the associated threats and weaknesses of these tools. With the handling of sensitive financial information, it is crucial for financial services companies to guarantee the security of their systems. A thorough understanding of the open source usage enables the company to better perceive the security risks and vulnerabilities that come with it, thus allowing them to draft a security strategy that specifically addresses these risks. You may be able to utilize the FINOS Waltz project to gain a visual representation and clarify your organization's technology landscape as a starting point to this strategy.
2 - Craft a blueprint for open source security:
With a thorough understanding of the open source usage within your organization, you can now construct a plan to tackle any potential threats and weaknesses. This should encompass routine security assessments, vulnerability administration, and incident response preparation. Adhering to open source security standards such as OWASP, NIST, or what is growing in OpenSSF is crucial in enhancing the security posture of financial services organizations. By having a well-defined plan, the company can proactively tackle any security risks and vulnerabilities, instead of just responding after an attack has occurred. This results in a more secure and stable operational environment.
3 - Evaluate Open Source Governance:
Implementing robust open source governance is critical for financial services companies in maintaining compliance with regulations such as GDPR or SOX. The governance encompasses processes and policies such as managing open source licenses, ensuring code authenticity via signing, and adhering to open source security standards. This proactive approach to managing open source usage not only enhances operational security by ensuring compliance, but also allows the identification and mitigation of potential vulnerabilities and risks associated with utilizing open source software.
Note: This is one of the fundamental membership values of FINOS. Any FINOS member can submit project contributions, and all FINOS projects comply with a well established definition of project governance, as described in the FINOS Community website: https://community.finos.org/docs/governance/#open-source-software-projects
4 - Engage in Cross-Industry Collaboration:
Venturing into partnerships with entities like OpenSSF can escalate the awareness of open source and bolster security. By collaborating with other industries and exchanging information, financial services companies can maintain a current understanding of the most recent open source trends, protocols, and security weaknesses. This can result in more robust security procedures and an overall heightened comprehension of open source software.
Note: we’re currently seeing cross-industry collaboration emerge in our special interest groups (SIGs) around financial Regulation Innovation, Open Source Readiness, InnerSource, DevOps Automation, Financial Objects, and Diversity Equity and Inclusion that all have the opportunity to touch on security in different areas of finance, with sell side banks, buy side firms, consultancies, big tech, system integrators, and security companies coming together in these areas. We think we’ll also see our community coming together to stay ahead of the technology curve and security threats by the proposition from one of our FINOS Members to form a Emerging Technologies SIG - that has now been endorsed by possible contributors in and outside of the FINOS membership, from many of the above segments in FSI.
5 - Focus on the open source libraries most commonly used within the industry:
Pinpointing the most utilized open source libraries across the financial sector and prioritizing investment towards supporting these libraries can advance the security posture of the industry as a whole. By participating in the upkeep of these widely adopted libraries, financial organizations can play a crucial role in identifying and remedying vulnerabilities, ultimately uplifting the security standards of these libraries. This is currently being addressed by The Linux Foundation through OpenSSF as well in a working group on “securing critical projects” as part of the work done with the White House in 2022 on addressing software supply chain security challenges.
6 - Encourage contributions to open source projects:
An integral advantage of open source technology is the possibility of adding to and advancing existing projects. Encourage your personnel to become energetic participants in the open source community by contributing code, bug accounts, and documentation. This presents a unique opportunity for financial services firms, enabling them to leverage the collective expertise and knowledge of a worldwide developer community and remain at the forefront of their industry. The majority of open source projects have some easier ways of getting new contributors involved. At FINOS, we have a list of Good First Issues for multiple projects to get your feet wet.
7 - Foster a culture of collaboration and learning:
By engaging in open source circles, personnel such as developers can foster a dynamic of communal learning and collaboration through project work. This results in the acceleration of novel ideas and improved productivity, which is crucial in times of economic turbulence. This holds immense significance for financial services organizations, as they have to be flexible in the face of fluctuating market conditions and maintain their competitive edge.
Based on the findings of the FINOS 2022 State of Open Source in Financial Services Report, it is evident that security is a major concern in the financial services industry and open source software plays a critical role in mitigating these risks. However, many business leaders may be unaware of proper management of open source software. To address this, this article has provided high-level insights into secure consumption and contribution to open source. The report highlights the significant consumption of open source in the industry and the need for firms to implement policies and processes for both consumption and contribution to secure their operations. By following the steps listed above, financial services organizations can enhance their security posture and remain compliant with regulations while also leveraging the collective expertise and knowledge of the open source community.
Authors:
- Maurizio Pillitu, CTO at FINOS
- Grizz Griswold, Head of Marketing at FINOS
Interested in reading the entire 2022 State of Open Source in Financial Services Report? Download it from the link below.