Open Source in Finance Forum New York 2024

Consuming open source is only a risky proposition if you don’t take the time to engineer a process that mitigates risk through security best practices of open source. Building a program for your organization to securely consume and contribute to open source is no different than developing new software. It is entirely determined by the practices, policies, technical controls, risk tolerance, and culture you establish and reinforce. From your software supply chain to your running services, open source can be both a reference and a guide to conducting the necessary diligence so that your investment in open source is a reward for you, your engineers, and your business. In this talk, we’ll explore assumptions about open source and open source security, tactics for managing secure open source consumption, reducing or mitigating risk presented by open source, and how to successfully use triangle composition to drive your efforts.

Cloud native technologies bring a significant change to the technological landscape, offering unprecedented levels of agility and scalability to modernise IT infrastructure and systems. However, they may potentially introduce substantial added complexity, widen the skills gap, and enlarge the attack surface. Unmanaged adoption will inevitably result in increased risk for any organisation. Security domains and disciplines like open source ingestion, AI/ML secops, threat modeling, security architecture, engineering and incident response need to adapt to the cloud native ecosystem to remain effective. We'll present the most common pain points and pitfalls, to then provide an overview of available countermeasures based on 200+ combined years of cloud native expertise.

Key takeaways: Attendees will be presented with practical techniques to improve common security disciplines (threat modeling, security architecture, engineering, and incident response) for modern cloud-native systems. They will leave with an understanding of what enhancements are required to maximise their usability and effectiveness.

Attendees will be presented with (i) an overview of challenges associated with cloud native technologies, (ii) a focus on risks and skill gaps, (iii) practical techniques to improve common security disciplines (threat modelling, security architecture, engineering, and incident response) for modern cloud native systems, (iv) an understanding of what enhancements are required to maximise their usability and effectiveness, (iv) a reusable methodology for de-risking cloud native technologies adoption.

This interactive session will delve into how Security Architecture reviews can be drastically accelerated using architecture patterns and the Common Architecture Language Model (CALM). The security domain of CALM will be presented through a case study using the TraderX FINOS project (sample Trading Application built for educational and experimentation purposes). Presentation highlights: Security Architecture – delineating between design reviews and security assurance to introduce Permit to Build vs. Operate. Architecture patterns – removing friction from security assurance with straight-through permits. Architecture as Code – overview of CALM, its core schema and various domains. Security Domain – utilizing TraderX in the FINOS Tech Sprint 2024 Hackathon to build the Security Domain of CALM. Straight-through provisioning – automating security assurance using architecture patterns and CALM. Adoption – leveraging CALM in the architecture and developer community. Contribution – Architecture as Code Working Group (FINOS DevOps SIG) and On-site Accelerators at Morgan Stanley and London Stock Exchange Group.

This session details how you can combine open source specifications like the FOCUS, open source data collection like OpenTelemetry (OTEL), and open source models like Prophet to mature your FinOps practice. The session will begin by exploring adoption of FOCUS, which provides a specification to managing and ingesting FinOps cost & usage data. Next, we'll discuss the power of using Open Telemetry (OTEL) for collecting metric data & increasing observability in your cloud/data center. Finally, we'll introduce Prophet, an open source forecasting tool to demonstrate how it can predict future costs and usage trends based on your FOCUS & OTEL data. Whether just starting your FinOps journey or looking to add functionality to an existing practice, this session will show how a combination of open source tools can significantly expand FinOps capabilities without increasing the cost of running a FinOps program.

There’s a growing interest around FDC3, the open standard for financial application interoperability. FDC3 was designed to make it as easy as possible for apps to integrate, but if you’re new to FDC3, it can be daunting to know where to start. In this presentation, we will take you through how to introduce FDC3 into the code base. We will cover common decision points, as well as providing code examples and sample JIRA stories that work for both product and development managers.

In this session, you will learn how we have enabled AI Agent Navigation across our financial desktop platform.

Well-defined FDC3 intents can enable generative navigation, improving the Copilot experience on our platform, Connect Coach. FDC3 standards have enhanced interoperability between financial applications, allowing seamless communication and data sharing. However, discovering specific actions or operations (intents) remains challenging, causing friction in user experiences. Our Connect Platform has over 500 intents based on user navigation patterns and demands. We have integrated Large Language Models (LLMs) into the intent discovery process to increase user efficiency. LLMs can interpret user needs expressed in natural language and determine the most relevant intents.

Learn more about how we did this and our vision to use FDC3 to enable a "self-driving" experience for our users.

At the end of this thirty minute hands-on walkthrough, we will have created an enterprise grade FDC3 application. It will look amazing and demonstrate true value to a front office user. We will show that FDC3 is nothing to be intimidated by and that your existing web development skills will enable to you build something fantastic without a massive learning curve. FDC3 is an exciting technology which promises to revolutionise how capital market users consume software. The basic concepts of FDC3 are relatively simple but developers are sometimes put off by the myriad of vendors, libraries and swathes of documentation. Engineers recently introduced to FDC3 can find the learning curve frustrating compared to more familiar front end technologies. In this session, we will take participants through the process of building a simple but useful FDC3 compliant component using the Genesis platform. We will then show how that component can be used to compose a realistic capital markets application.

Following the "share identity with FDC3" proof of concept at the FINOS Hackathon in May 2023, and the work done over the past year by the "Identity & Threat Modelling" workgroup, this session will demonstrate and explain how two applications can use encrypted channels to securely share information over FDC3, without needing to trust either the desktop agent or any other intermediary

As its adoption increases, CDM will become central to the opportunity for Capital Markets to use standards to drive operating efficiency. It is no surprise that the result of shared common data and event modeling will reduce complexity whether in terms of operations or technology support. Our session explores how to realize these efficiencies with a proposed microservices based reference architecture that leverages the standard internally and externally and aligns with modern database technology. The result will be a new collaborative distributed processing model. In addition, since firms are likely to utilize their own proprietary data models for specific use cases, a critical component of this architecture is the ability to transform back and forth between those internal models and the standard. To facilitate navigating and aligning to those internal models, we leverage an LLM trained in CDM to simplify the identification of relevant data elements and support their bi-directional mappings. The key intent is to use the LLM to understand the structure of CDM vs internal models and, thereby, create mappings either directly or by generating code and assisting software engineers.

Open corporate digital identity standards play a pivotal role in combating financial crime. They provide a framework for secure and reliable identification processes. These standards help to establish trust and ensure that individuals and entities are who they claim to be, which is essential for preventing fraud, money laundering, and other financial crimes. By adhering to open corporate digital identity standards, financial institutions can more effectively detect and prevent suspicious activities. For instance, consistent and reliable corporate identity verification processes help to create comprehensive audit trails, making it easier to trace transactions and identify potential illicit activities. This session will delve into how open standards support corporate identity verification and how these standards have improved effectiveness and cost efficiencies for the financial service industry. The discussion will address mechanisms for authentication, data protection, and regulatory compliance - all essential elements in the fight against financial crime.