Open Source in Finance Forum New York 2024

Improving software supply chain security starts with a secure foundation. The FINOS community has recently intensified efforts to help members enhance software supply chain security on two critical fronts:

1. Empowering maintainers to assess and improve their dependency ingestion with access to enterprise-grade software composition analysis (SCA)
2. Providing in-depth dependency consumption analysis, including a detailed review of member downloads from Maven Central

In this presentation, Brian Fox, co-founder of Sonatype, the maintainers of Maven Central, will explore the tangible risks the FINOS community is addressing through these initiatives. He’ll walk through a detailed consumption analysis report from Maven Central, sharing industry insights, what these trends reveal about software supply chain risks, and actionable steps organizations can take to enhance their security posture. Additionally, he’ll provide an overview of the SCA tools available to maintainers to reduce risk and improve delivery across FINOS projects.

Consuming open source is only a risky proposition if you don’t take the time to engineer a process that mitigates risk through security best practices of open source. Building a program for your organization to securely consume and contribute to open source is no different than developing new software. It is entirely determined by the practices, policies, technical controls, risk tolerance, and culture you establish and reinforce. From your software supply chain to your running services, open source can be both a reference and a guide to conducting the necessary diligence so that your investment in open source is a reward for you, your engineers, and your business. In this talk, we’ll explore assumptions about open source and open source security, tactics for managing secure open source consumption, reducing or mitigating risk presented by open source, and how to successfully use triangle composition to drive your efforts.

Cloud native technologies bring a significant change to the technological landscape, offering unprecedented levels of agility and scalability to modernise IT infrastructure and systems. However, they may potentially introduce substantial added complexity, widen the skills gap, and enlarge the attack surface. Unmanaged adoption will inevitably result in increased risk for any organisation. Security domains and disciplines like open source ingestion, AI/ML secops, threat modeling, security architecture, engineering and incident response need to adapt to the cloud native ecosystem to remain effective. We'll present the most common pain points and pitfalls, to then provide an overview of available countermeasures based on 200+ combined years of cloud native expertise.

Key takeaways: Attendees will be presented with practical techniques to improve common security disciplines (threat modeling, security architecture, engineering, and incident response) for modern cloud-native systems. They will leave with an understanding of what enhancements are required to maximise their usability and effectiveness.

Attendees will be presented with (i) an overview of challenges associated with cloud native technologies, (ii) a focus on risks and skill gaps, (iii) practical techniques to improve common security disciplines (threat modelling, security architecture, engineering, and incident response) for modern cloud native systems, (iv) an understanding of what enhancements are required to maximise their usability and effectiveness, (iv) a reusable methodology for de-risking cloud native technologies adoption.

This interactive session will delve into how Security Architecture reviews can be drastically accelerated using architecture patterns and the Common Architecture Language Model (CALM). The security domain of CALM will be presented through a case study using the TraderX FINOS project (sample Trading Application built for educational and experimentation purposes). Presentation highlights: Security Architecture – delineating between design reviews and security assurance to introduce Permit to Build vs. Operate. Architecture patterns – removing friction from security assurance with straight-through permits. Architecture as Code – overview of CALM, its core schema and various domains. Security Domain – utilizing TraderX in the FINOS Tech Sprint 2024 Hackathon to build the Security Domain of CALM. Straight-through provisioning – automating security assurance using architecture patterns and CALM. Adoption – leveraging CALM in the architecture and developer community. Contribution – Architecture as Code Working Group (FINOS DevOps SIG) and On-site Accelerators at Morgan Stanley and London Stock Exchange Group.