Open Source in Finance Forum New York 2024

Improving software supply chain security starts with a secure foundation. The FINOS community has recently intensified efforts to help members enhance software supply chain security on two critical fronts:

1. Empowering maintainers to assess and improve their dependency ingestion with access to enterprise-grade software composition analysis (SCA)
2. Providing in-depth dependency consumption analysis, including a detailed review of member downloads from Maven Central

In this presentation, Brian Fox, co-founder of Sonatype, the maintainers of Maven Central, will explore the tangible risks the FINOS community is addressing through these initiatives. He’ll walk through a detailed consumption analysis report from Maven Central, sharing industry insights, what these trends reveal about software supply chain risks, and actionable steps organizations can take to enhance their security posture. Additionally, he’ll provide an overview of the SCA tools available to maintainers to reduce risk and improve delivery across FINOS projects.

In this session we will look at the software supply chain and its key components from software factory to software logistics.
Software logistics goes beyond just doing a deployment. As we have seen in the common cloud controls project, you have to consider things like provisioning, configuration management, penetration testing, risk mitigation, observation and remediation. These items are usually handled by small teams that leverage tools, many of them open source, to simplify and automate routine tasks. Because a lot of these tools are very specific in nature, we want to look at what an open source
platform to manage all of these tasks might look like and if this could assist the common cloud controls working group. Finally, we will discuss areas where artificial intelligence could play a role.

Change Management team implemented GenAI based framework for reviewing quality of change implementation requests (CIR) for making production software or infrastructure changes, that ensures a certain standard and guidelines are adhered potentially preventing the production impact, and possibility of Change Control Failure resulting in an audit or regulatory findings. For an ecosystem that completes thousands of changes each year, this framework provides an efficient method to review change quality, ensure SDLC compliance and implement change controls. GenAI Assisted Quality check: Introduction of LLM based evaluation of CIR: •Every CIR will be scanned through LLM using pre defined rubrics, in case it is not up to a certain standard, or missing any information, the AI assistant will prompt back to user to provide the information to create a complete CR. •This is implemented using zero shot prompt and completion inference of LLM model. Graph based RAG Status: •CIRs are stored in a graph data structure, through which relations are captured •LLM is used for generating cypher queries to traverse the knowledge graph to determine relevant relation between CIRs and flag potential risk

Large financial institutions typically deploy their IT services across a number of private and public cloud providers. This asks for a platform-agnostic design of software applications to minimize the amount of rework required to migrate services between platforms. This applies to AI/ML models deployed for inference as much as any other software. In this presentation, we present an innovative framework ("inference-server") to streamline the deployment of an AI/ML model to the cloud. The framework is published by J.P. Morgan Chase at https://github.com/jpmorganchase/inference-server The framework abstracts the cloud infrastructure and connectivity aspects through a simple plugin system. This requires an ML software engineer to define an ML model as 2 functions only: 1) to load the model in memory and 2) to invoke that loaded model for a given set of input features. These 2 functions are then added to a Docker container image along the inference-server framework. This approach leads to a very modular design where an AI/ML model can be trivially tested in a development environment. If required the model could be deployed and accessed from any cloud computing platform.