Open Source in Finance Forum New York 2024

Consuming open source is only a risky proposition if you don’t take the time to engineer a process that mitigates risk through security best practices of open source. Building a program for your organization to securely consume and contribute to open source is no different than developing new software. It is entirely determined by the practices, policies, technical controls, risk tolerance, and culture you establish and reinforce. From your software supply chain to your running services, open source can be both a reference and a guide to conducting the necessary diligence so that your investment in open source is a reward for you, your engineers, and your business. In this talk, we’ll explore assumptions about open source and open source security, tactics for managing secure open source consumption, reducing or mitigating risk presented by open source, and how to successfully use triangle composition to drive your efforts.

Cloud native technologies bring a significant change to the technological landscape, offering unprecedented levels of agility and scalability to modernise IT infrastructure and systems. However, they may potentially introduce substantial added complexity, widen the skills gap, and enlarge the attack surface. Unmanaged adoption will inevitably result in increased risk for any organisation. Security domains and disciplines like open source ingestion, AI/ML secops, threat modeling, security architecture, engineering and incident response need to adapt to the cloud native ecosystem to remain effective. We'll present the most common pain points and pitfalls, to then provide an overview of available countermeasures based on 200+ combined years of cloud native expertise.

Key takeaways: Attendees will be presented with practical techniques to improve common security disciplines (threat modeling, security architecture, engineering, and incident response) for modern cloud-native systems. They will leave with an understanding of what enhancements are required to maximise their usability and effectiveness.

Attendees will be presented with (i) an overview of challenges associated with cloud native technologies, (ii) a focus on risks and skill gaps, (iii) practical techniques to improve common security disciplines (threat modelling, security architecture, engineering, and incident response) for modern cloud native systems, (iv) an understanding of what enhancements are required to maximise their usability and effectiveness, (iv) a reusable methodology for de-risking cloud native technologies adoption.

This interactive session will delve into how Security Architecture reviews can be drastically accelerated using architecture patterns and the Common Architecture Language Model (CALM). The security domain of CALM will be presented through a case study using the TraderX FINOS project (sample Trading Application built for educational and experimentation purposes). Presentation highlights: Security Architecture – delineating between design reviews and security assurance to introduce Permit to Build vs. Operate. Architecture patterns – removing friction from security assurance with straight-through permits. Architecture as Code – overview of CALM, its core schema and various domains. Security Domain – utilizing TraderX in the FINOS Tech Sprint 2024 Hackathon to build the Security Domain of CALM. Straight-through provisioning – automating security assurance using architecture patterns and CALM. Adoption – leveraging CALM in the architecture and developer community. Contribution – Architecture as Code Working Group (FINOS DevOps SIG) and On-site Accelerators at Morgan Stanley and London Stock Exchange Group.

This session details how you can combine open source specifications like the FOCUS, open source data collection like OpenTelemetry (OTEL), and open source models like Prophet to mature your FinOps practice. The session will begin by exploring adoption of FOCUS, which provides a specification to managing and ingesting FinOps cost & usage data. Next, we'll discuss the power of using Open Telemetry (OTEL) for collecting metric data & increasing observability in your cloud/data center. Finally, we'll introduce Prophet, an open source forecasting tool to demonstrate how it can predict future costs and usage trends based on your FOCUS & OTEL data. Whether just starting your FinOps journey or looking to add functionality to an existing practice, this session will show how a combination of open source tools can significantly expand FinOps capabilities without increasing the cost of running a FinOps program.