Open Source in Finance Forum 2022 — Key Takeaways
When searching for cutting-edge innovation through the use of open source software, standards, and collaboration, then traditional financial services organisations are not typically the first place you’d look. Despite this, there is a growing trend of acknowledgement within the sector that organisations must not only be able to leverage the use of open source software in an effective and safe way in order to survive in today’s Digital world, but that there are also benefits and opportunities to be gained from engaging with and contributing to the open source community.
On Wednesday 13th July I attended the Open Source in Finance Forum in London. This is an event that was hosted by the Fintech Open Source Foundation (FINOS), which is part of the Linux Foundation. This is a conference that aims to drive collaboration and innovation in financial services through the adoption and creation of open source software and standards. The conference brings together various experts from within financial services, technology and open source communities, and it is an opportunity to discuss and consider how the financial services industry can best leverage open source software (in a safe and regulatory-compliant way) to solve industry challenges.
The conference was kicked off with some opening remarks from the Executive Director of FINOS, Gabriele Columbro, followed by a number of keynote talks. The rest of the day then consisted of several different themed ‘tracks’ which attendees could pick and choose between — some were straight presentations, some were slightly more interactive discussions, and some were in the format of an interview or a panel discussion. There was also ample time available between sessions for networking with other participants, as well as opportunities to talk to a few organisations who had stalls set up in the breakout area.
From the sessions that I attended on the day, there were a few notable themes and topics that I’ll be focusing on in more detail in the following sections. These themes and topics are as follows:
- Open source security
- Leveraging open source for innovation
- The benefits of open source contribution and collaboration
Open Source Security
Security is always going to be a major concern and top priority for all financial services organisations, and with the wide-ranging fallout from the Log4Shell vulnerability still fresh in the memory from the end of 2021, it’s no surprise that open source security was a hot topic and key theme that featured in several talks at this event.
In his keynote speech at the start of the conference, Jim Zemlin (Executive Director of the Linux Foundation) chose to focus on the recently published Open Source Software Security Mobilisation Plan that has been produced by the OpenSSF (Open Source Software Security Foundation) project. To set the scene and to provide some context, it was highlighted by Jim Zemlin that open source software components are now so ubiquitous that “roughly 70–90% of any typical software stack consists of open source software”. This is a huge proportion of important technology, tooling and cloud infrastructure that is therefore dependent on the security of the open source software supply chain. Any vulnerabilities that are identified in these downstream dependencies present a systemic threat to not just private companies, but also to government services and critical national infrastructure. The 50-page mobilisation plan notes the following in the executive summary:
“While there are considerable ongoing efforts to secure the OSS supply chain, to achieve acceptable levels of resilience and risk, a more comprehensive series of investments to shift security from a largely reactive exercise to a proactive approach is required. Our objective is to evolve the systems and processes used to ensure a higher degree of security assurance and trust in the OSS supply chain.”
The report then goes on to introduce ten “activity streams” which can be started immediately and each of which has been individually costed. The plan overall is estimated to cost around $150million over two years — this may sound like a lot of money, but as noted by Jim Zemlin, this is a tiny amount when compared to what is at stake in terms of the scale and importance of the infrastructure and services that would be protected, and it is miniscule in comparison to the budgets that organisations across the public and private sectors already spend today attempting to protect themselves against these supply chain risks.
Some of the activity streams that the mobilisation plan contains are the following:
- Investing in secure software development education and training — providing 40–50 hours of “secure coding” training that is available for free, but with a specific focus on educating open source contributors and maintainers. There is also a proposal to introduce certifications and courses that will then hopefully become industry standard.
- Accelerate the adoption of digital signatures of software releases — while signatures are already relatively commonly used for software distribution, in the upstream development process they are far less common. This activity stream will drive improvement of the existing signing tools and infrastructure, and will encourage adoption by open source projects.
- Conduct third-party code reviews of up to 200 of the most critical open source software components once per year — an industry-wide coordinated effort to facilitate third-party code reviews of these critical components, with the aim of finding and fixing undiscovered vulnerabilities, and report to the public all of the associated findings and remediations to benefit the entire open source ecosystem.
- Improve SBOM tooling and training to drive adoption — an SBOM, or “software bill of materials”, is a fundamental building block to enable organisations to respond to vulnerabilities so that they can understand their exposure. Unfortunately many organisations do not maintain even a basic inventory today, and so the aim of this activity stream is to focus on tooling and advocacy to encourage the adoption of “SBOMs everywhere”.
Leveraging Open Source for Innovation
Utilising open source software, frameworks and tooling to drive innovation within technology companies is nothing new, and these benefits and endless possibilities are what has ultimately led to the explosive growth in open source projects and offerings over the last 10 to 15 years. At the Open Source in Finance Forum event, the focus was on how the use of open source software and open standards has resulted in innovation within the financial services sector specifically — perhaps something that is slightly less well established and publicised compared to other sectors.
In his presentation titled Open Finance: An Open Source View, we heard from Declan O’Gorman (Head of Enterprise Engineering at NatWest) about how NatWest have adopted an open source mindset and culture within the organisation to enable them to deliver new propositions and enhancements to existing value streams — much of this being driven by their exploitation of API ecosystems via the Open Banking and Open Finance industry initiatives. Declan explained that by adopting an “open-first” approach they uncovered new use cases and new revenue streams that they hadn’t envisaged when they started out on their journey.
ClearBank is a company that very much falls into the “FinTech” category, and compared to some of the other more traditional organisations that were represented at the event, they have the benefit of being “born in the cloud” — without the baggage of legacy systems and technologies. During a “fireside chat”-style session, Steven Hawkins (Head of DevOps Transformation at ClearBank) and James McLeod (FINOS representative) explored how open source software and tooling has been at the heart of ClearBank’s ability to scale, and how the internal engineering teams rely heavily on open source to enable them to provide their customers with a simple, performant and feature-rich cloud API offering. There was also some interesting discussion about how FINOS is able to engage with FinTechs, such as ClearBank, to better understand how usage and adoption of open source technologies can be accelerated within the sector — to enable FINOS to help other financial services organisations to reap the benefits whilst staying on the right side of industry regulation.
On the topic of industry regulation, one of the sessions that I attended was a panel discussion titled Regulation Innovation which explored how the financial services industry regulators are starting to exploit new ways of working (inspired in part by open source) to streamline processes and to make it easier for organisations to engage with them. It’s still very early days in this regulatory transformation, but it’s encouraging to see the regulators starting to adopt open standards, and seeing them attempt to adjust their engagement models so that organisations can demonstrate compliance using more automation and less onerous processes.
The Benefits of Open Source Contribution and Collaboration
The open source model only works if individuals and organisations are willing to “give back” — through code contributions, through sponsorship and financial support, through sharing and collaboration, and through the creation and nurturing of new open source projects and initiatives. As I talked about in the previous section of this article, open source is an amazing tool that can be leveraged to drive innovation — but it can’t just be a one-way interaction, otherwise it would not be sustainable.
This was topic was discussed in detail by Colin Eberhardt (Technology Director at Scott Logic) in his excellent talk titled Open Source Sustainability and our Corporate Social Responsibility. Colin highlighted the increasing complexity of modern software — due to the large dependency trees that typically consist of hundreds (if not thousands) of open source dependencies. As a result of this complexity, he questioned how much do we really understand about the components that make up our software products? How can we be sure that these dependencies are all being maintained properly, and that they’re secure and appropriate for enterprise usage? Colin then proceeded to present a deep-dive he had conducted into a popular open source javascript project that he picked at random — ExpressJS. What he found from this deep-dive was fairly shocking (albeit, unfortunately not all that surprising) — most of the open source dependencies of this project are maintained by single individuals operating alone, almost all of them working for free as their work is not funded.
As well as highlighting the fragility of many widely used open source projects, Colin also touched on the inherent security risks that this introduces:
“Here’s an interesting statistic for you … only 9.27% of npm maintainers have 2 factor authentication enabled. What this means is that if you obtain a maintainer’s username and password, you are free to publish new versions of their package, releasing malicious code into the wild if you so wish.”
Colin Eberhardt (Technology Director at Scott Logic)
The critical takeaway from Colin Eberhardt’s presentation was that organisations in the financial services sector (and in other sectors) must do more to share the burden, and they must use their engineering and monetary resources to improve this dire situation. Within many organisations the default reaction is to pump money into building a “walled garden” to protect themselves — for example, putting the focus on more robust security scanning and license checking. Colin argues that this is the wrong approach, and instead those resources should be channelled to the wider open source ecosystem to help tackle the problems at “grassroots level” — as this is the only way that open source will be sustainable for years to come.
This theme was tackled from a different angle by Chris Howard (Lead Open Source Program Manager at EPAM Systems) in his presentation titled Leveraging your organisation’s open source engagements to recruit and retain. In an environment where it’s extremely difficult to recruit good engineers and to retain existing team members, Chris explained how an organisation’s involvement in open source initiatives can provide a partial solution to this challenge. Research shows that engineers want to work for those organisations that are embracing open source. He therefore puts forward the case that organisations must evolve to accommodate this, and it’s also important for organisations to reflect the talent that they want to recruit — e.g. having an open source presence is likely to appeal to engineers that are already open source engaged themselves, and those are the people that organisations are often most desperate to recruit. In terms of the benefits and the value that open source engaged engineers can bring to an organisation, Chris had the following to say:
“Open source engaged talent are a unique breed — they bring with them new heights of innovation, they are excellent problem solvers, and they react to challenges and criticisms with reason. Open source engineers aren’t afraid to push themselves outside their comfort zone, and by coding in the open and putting their work on the stage this makes them a real talent amongst other engineers.”
Chris Howard (Lead Open Source Program Manager at EPAM Systems)
Summary
I thought the event was extremely well run, and I found it a productive and interesting day of presentations, talks and networking. At both an individual-level and at an organisational-level within Nationwide Building Society, there are a number of actions and follow-up conversations that have been triggered in response to the key takeaways that I’ve discussed above.
If you work in the financial services sector and you have an interest in open source technologies, then I’d strongly recommend that you consider attending future iterations of the Open Source in Finance Forum. All of the sessions from the 2022 event were recorded and are available to view for free on the Linux Foundation’s YouTube channel, so do check those out too.
