The days when financial institutions relied solemnly on proprietary code are over. Today, even the largest financial services firms have realized the benefits of using open source technology to build powerful, innovative applications at a reduced time-to-market. However, the financial services industry faces strict regulatory requirements that present it with a unique set of challenges, especially when it comes to open source usage (both consumption and contribution).
FINOS is a non-profit organization whose purpose is to accelerate collaboration and innovation in financial services through the adoption of open source software, standards and best practices. Together with WhiteSource, they are able to provide a safe environment for developers to use open source components freely and fearlessly.
Join FINOS and WhiteSource as they discuss:
The challenges of open source usage
The state of open source vulnerabilities management
How FINOS uses WhiteSource to ensure the security and IP compliance of FINOS-produced open source software
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
Empowering Financial Institutions to Use Open Source With Confidence
1. 1
Empowering Financial
Institutions to Use Open
Source With Confidence
James McLeod Jeff Crum
Director of Community Senior Director of Product Marketing
FINOS WhiteSource
2. finos.orgFintech Open Source Foundation
Financial
services future
will be open
source and real
time.”
Chris Skinner
(The Finanser)
Photo & Quote: BBVA 2017
“
3. finos.orgFintech Open Source Foundation
Commits by financial institutions355,508
Repos from financial institutions44,996
24,751 Committers from industry
Source:
4. finos.orgFintech Open Source Foundation
OSS
VALUE
(Why?)
OSS
CHALLENGES
(How?)
DECISION MAKERS ENABLEMENT
LINE OF BUSINESS ENABLEMENT
WHY
OPEN SOURCE?
Business Value of
OSS Engagement
WHAT TO
OPEN SOURCE?
Identity “Value Line”, OSS
Commercialization Tactics
LEGAL
Contribution Policy,
CLAs, License
CULTURAL
Cultural,
Community RoE
TECHNICAL
OSS Supply Chain
DevOps Workflow
Open Source in Regulated Industries Is Not Easy
Member Success
initiative
Open Source Readiness
Program
Open Developer Platform
World-Class OSS
legal and Technical Experts
HOW CAN FINOS HELP?
5. finos.orgFintech Open Source Foundation
Traditional Solution Oriented Business Models
5
PRODUCTION DISTRIBUTION MARKETING CONSUMER
In traditional business models
Value creation Is linear and one-way
6. finos.orgFintech Open Source Foundation
A Linear Delivery Path with Increased Cycle Times
Development
Integration Test
Quality Testing
Security Testing
UAT & Route to Live
TESTS FAIL
TESTS FAIL
TESTS FAIL
TESTS FAIL
▪ Waterfall follows a linear
delivery path
▪ Failure Results in Delay
and Long Cycle Times
8. finos.orgFintech Open Source Foundation
DevOps Equals Agile, Automation and Culture
https://marketplace-cdn.atlassian.com/s/public/devops-hero-1-87966cfbc9c5713ae047551c7b22985c.png
9. finos.orgFintech Open Source Foundation
Need Proof? Open = Disruptive innovation
Google Opens
specs for
Map Reduce
2004
BIG DATA
Amazon launches
AWS based on
Xen, Linux,
Dynamo
2006
CLOUD
First release of
MongoDB
2007
NOSQL
Satoshi
releases 0.1
of Bitcoin
2008
BLOCKCHAIN
Facebook
contributes
Cassandra
to Apache
2009
NOSQL
Yahoo
contributes
Hadoop to
Apache
2011
BIG DATA
Node.js
joins the
Linux
Foundation
2015
MODERN
DEV
Google
open sources
TensorFlow
2016
MACHINE
LEARNING
13. 13
When is the optimal point to integrate
security checks into the SDLC?
PLAN CODE BUILD MAINT.DEPLOY
14. 14
Detecting Issues as Early as Possible Has
Multiple Benefits
Coding
$80/Defect
Build
$240/Defect
QA &
Security
$960/Defect
Production
$7,600/Defect
The cost of fixing security and quality issues is rising significantly, as the
development cycle advances.
15. 15
66% of companies have already implemented
application testing during or even pre-build stage
In what stage of the SDLC do you spend most of
your time implementing security measures?
16. 16
In what stage of the SDLC do you spend most of your time implementing security measures, by open source usage?
The higher usage for open source, the more likely that
developers would implement application security tools
18. If the goal is to integrate security pre-build, then who
should own application security in the organization?
of the respondents stated that the
ownership over AppSec lies in the
software development side
72%
20%
28%
23%
29%
19. 19
Research shows organizations of all sizes are shifting
their operational security to software development
teams
Who owns security in your organization, by company size?
20. 20
Companies are investing in secure coding training more
than ever before
of developers say that their company
provides them with security training that
helps them code better.
36%
22. 22
Both teams need security tools, but in order to shift left security you need to empower
your developers.
What are the “right” tools?
Governance solutions Developers tools
Used by security teams and management
to get full visibility and control over the
security risks in their software
Used by developers to
remediate vulnerabilities
23. 23
Each Have Different Requirements
▪ Visibility and control
through automation
▪ Reports, prioritization and
policy enforcement
▪ Information on issues and
remediation support
▪ Integration with dev tools,
real-time alerts and
remediation insights
GOAL
FEATURES
Governance solutions Developers tools
24. How left can
you go?
24
Shifting left
the right tools
Who owns it?
1 2 3
25. finos.orgFintech Open Source Foundation
Vision for a Fintech Open Developer Platform
25
METRICS & REPORTINGWEB CONFERENCINGMAILING LISTSWIKI
SYMPHONY
(ReST API)
SYMPHONY
(Extension API)
FINTECH
OPEN DATA
High Productivity Turnkey Developer Experience
SOFTWARE
CONTRIBUTORS
SOFTWARE
CONSUMERS
SYMPHONY
(Integration webhooks)
Biz & Legal Peace Of Mind - We Do The Hard Part!
FINTECH
OPEN APIS
CLOUD
OPEN APIS
CODE
HOSTING
Github Travis CI
CONTINUOUS
INTEGRATION
CONTINUOUS
DELIVERY
Openshift
RELEASE
PUBLISHING
Maven central,
NPM, NuGetWhitesource
SECURITY, QUALITY,
IP COMPLIANCE
Atlassian Confluence Google Groups WebEx
Hosted Platforms
Development Infrastructure
Collaboration Services
Future partnerships and contributions
Bitergia
26. finos.orgFintech Open Source Foundation
26
colineberhardt.github.io/cla-bot
Pull Request Made to a FINOS GitHub Repository
33. finos.orgFintech Open Source Foundation
33
finos.org/odp/docs > Development Infrastructure > Code Validation
Multi Language ODP Validation Tools Matrix
34. finos.orgFintech Open Source Foundation
34
Following the Open Source Compliance Pattern
The functional components of an Open Source compliance toolchain
produced by the Open Source Tooling group of the OpenChain Project
35. finos.orgFintech Open Source Foundation
Community
Open Ecosystem
THE OPEN PLATFORM
Openness Enables Thriving Ecosystems
35
Value Line
NETWORK CONTENT APP
Open Standards
(Open API)
PLATFORM VENDOR END USER / INTEGRATOR
,
Semi-Open Ecosystem,
Lower CAC,
Easy integration
Reduced vendor lock-in,
solutions reuse,
influence via standards groups
Finos.org
Value is in the ecosystem, Platform is just an enabler
Open
Source
Fully Open Ecosystem,
Focus on Core IP,
cheaper Go-to-Market,
broad talent pool,
Community input / contributions
No vendor lock-in,
influence via contribution,
lower overall software TCO,
talent acquisition and retention,
security by many eyeballs
Open Standards ensure
high longevity for open
source software
Open Source enables
faster standard adoption
and iterations