The document discusses the role of open source in the financial industry, highlighting its growing importance and the shift towards open ecosystems for innovation. It emphasizes the need for financial institutions to adopt open source practices confidently, supported by initiatives from organizations like FINOS. Additionally, it outlines strategies for integrating security measures early in the software development lifecycle and empowering developers with the right tools.

1. 1
Empowering Financial
Institutions to Use Open
Source With Confidence
James McLeod Jeff Crum
Director of Community Senior Director of Product Marketing
FINOS WhiteSource

2. finos.orgFintech Open Source Foundation
Financial
services future
will be open
source and real
time.”
Chris Skinner
(The Finanser)
Photo & Quote: BBVA 2017
“

3. finos.orgFintech Open Source Foundation
Commits by financial institutions355,508
Repos from financial institutions44,996
24,751 Committers from industry
Source:

4. finos.orgFintech Open Source Foundation
OSS
VALUE
(Why?)
OSS
CHALLENGES
(How?)
DECISION MAKERS ENABLEMENT
LINE OF BUSINESS ENABLEMENT
WHY
OPEN SOURCE?
Business Value of
OSS Engagement
WHAT TO
OPEN SOURCE?
Identity “Value Line”, OSS
Commercialization Tactics
LEGAL
Contribution Policy,
CLAs, License
CULTURAL
Cultural,
Community RoE
TECHNICAL
OSS Supply Chain
DevOps Workflow
Open Source in Regulated Industries Is Not Easy
Member Success
initiative
Open Source Readiness
Program
Open Developer Platform
World-Class OSS
legal and Technical Experts
HOW CAN FINOS HELP?

5. finos.orgFintech Open Source Foundation
Traditional Solution Oriented Business Models
5
PRODUCTION DISTRIBUTION MARKETING CONSUMER
In traditional business models
Value creation Is linear and one-way

6. finos.orgFintech Open Source Foundation
A Linear Delivery Path with Increased Cycle Times
Development
Integration Test
Quality Testing
Security Testing
UAT & Route to Live
TESTS FAIL
TESTS FAIL
TESTS FAIL
TESTS FAIL
▪ Waterfall follows a linear
delivery path
▪ Failure Results in Delay
and Long Cycle Times

7. finos.orgFintech Open Source Foundation
Platforms Thrive in an Open ecosystem
7
In Platform business models
Value creation is two-way and continuous
Logos are © and (™) of their respective owners
PLATFORM ECOSYSTEM

8. finos.orgFintech Open Source Foundation
DevOps Equals Agile, Automation and Culture
https://marketplace-cdn.atlassian.com/s/public/devops-hero-1-87966cfbc9c5713ae047551c7b22985c.png

9. finos.orgFintech Open Source Foundation
Need Proof? Open = Disruptive innovation
Google Opens
specs for
Map Reduce
2004
BIG DATA
Amazon launches
AWS based on
Xen, Linux,
Dynamo
2006
CLOUD
First release of
MongoDB
2007
NOSQL
Satoshi
releases 0.1
of Bitcoin
2008
BLOCKCHAIN
Facebook
contributes
Cassandra
to Apache
2009
NOSQL
Yahoo
contributes
Hadoop to
Apache
2011
BIG DATA
Node.js
joins the
Linux
Foundation
2015
MODERN
DEV
Google
open sources
TensorFlow
2016
MACHINE
LEARNING

10. 10
So how can you shift left security
successfully?

11. How left can
you go?
11
Shifting left
the right tools
Who owns it?
1 2 3

12. 12
1How left can
you go?

13. 13
When is the optimal point to integrate
security checks into the SDLC?
PLAN CODE BUILD MAINT.DEPLOY

14. 14
Detecting Issues as Early as Possible Has
Multiple Benefits
Coding
$80/Defect
Build
$240/Defect
QA &
Security
$960/Defect
Production
$7,600/Defect
The cost of fixing security and quality issues is rising significantly, as the
development cycle advances.

15. 15
66% of companies have already implemented
application testing during or even pre-build stage
In what stage of the SDLC do you spend most of
your time implementing security measures?

16. 16
In what stage of the SDLC do you spend most of your time implementing security measures, by open source usage?
The higher usage for open source, the more likely that
developers would implement application security tools

17. 17
2Who owns it?

18. If the goal is to integrate security pre-build, then who
should own application security in the organization?
of the respondents stated that the
ownership over AppSec lies in the
software development side
72%
20%
28%
23%
29%

19. 19
Research shows organizations of all sizes are shifting
their operational security to software development
teams
Who owns security in your organization, by company size?

20. 20
Companies are investing in secure coding training more
than ever before
of developers say that their company
provides them with security training that
helps them code better.
36%

21. 21
3Shifting left
with the right
tools

22. 22
Both teams need security tools, but in order to shift left security you need to empower
your developers.
What are the “right” tools?
Governance solutions Developers tools
Used by security teams and management
to get full visibility and control over the
security risks in their software
Used by developers to
remediate vulnerabilities

23. 23
Each Have Different Requirements
▪ Visibility and control
through automation
▪ Reports, prioritization and
policy enforcement
▪ Information on issues and
remediation support
▪ Integration with dev tools,
real-time alerts and
remediation insights
GOAL
FEATURES
Governance solutions Developers tools

24. How left can
you go?
24
Shifting left
the right tools
Who owns it?
1 2 3

25. finos.orgFintech Open Source Foundation
Vision for a Fintech Open Developer Platform
25
METRICS & REPORTINGWEB CONFERENCINGMAILING LISTSWIKI
SYMPHONY
(ReST API)
SYMPHONY
(Extension API)
FINTECH
OPEN DATA
High Productivity Turnkey Developer Experience
SOFTWARE
CONTRIBUTORS
SOFTWARE
CONSUMERS
SYMPHONY
(Integration webhooks)
Biz & Legal Peace Of Mind - We Do The Hard Part!
FINTECH
OPEN APIS
CLOUD
OPEN APIS
CODE
HOSTING
Github Travis CI
CONTINUOUS
INTEGRATION
CONTINUOUS
DELIVERY
Openshift
RELEASE
PUBLISHING
Maven central,
NPM, NuGetWhitesource
SECURITY, QUALITY,
IP COMPLIANCE
Atlassian Confluence Google Groups WebEx
Hosted Platforms
Development Infrastructure
Collaboration Services
Future partnerships and contributions
Bitergia

26. finos.orgFintech Open Source Foundation
26
colineberhardt.github.io/cla-bot
Pull Request Made to a FINOS GitHub Repository

27. finos.orgFintech Open Source Foundation
27
CLA Bot Gives Real Time Licensing Feedback

28. finos.orgFintech Open Source Foundation
28
Building and Testing Triggered by Pull Request

29. finos.orgFintech Open Source Foundation
29
DevSecOps with Automated Vulnerability Testing
▪ Build if tests pass
▪ Alert if tests fail

30. finos.orgFintech Open Source Foundation
30
Real Time Dependency Vulnerability Testing

31. finos.orgFintech Open Source Foundation
31
Vulnerability Reporting at File Dependency Level

32. finos.orgFintech Open Source Foundation
32
Merging and K8 Deployment at Tests Passed

33. finos.orgFintech Open Source Foundation
33
finos.org/odp/docs > Development Infrastructure > Code Validation
Multi Language ODP Validation Tools Matrix

34. finos.orgFintech Open Source Foundation
34
Following the Open Source Compliance Pattern
The functional components of an Open Source compliance toolchain
produced by the Open Source Tooling group of the OpenChain Project

35. finos.orgFintech Open Source Foundation
Community
Open Ecosystem
THE OPEN PLATFORM
Openness Enables Thriving Ecosystems
35
Value Line
NETWORK CONTENT APP
Open Standards
(Open API)
PLATFORM VENDOR END USER / INTEGRATOR
,
Semi-Open Ecosystem,
Lower CAC,
Easy integration
Reduced vendor lock-in,
solutions reuse,
influence via standards groups
Finos.org
Value is in the ecosystem, Platform is just an enabler
Open
Source
Fully Open Ecosystem,
Focus on Core IP,
cheaper Go-to-Market,
broad talent pool,
Community input / contributions
No vendor lock-in,
influence via contribution,
lower overall software TCO,
talent acquisition and retention,
security by many eyeballs
Open Standards ensure
high longevity for open
source software
Open Source enables
faster standard adoption
and iterations

36. finos.orgFintech Open Source Foundation
Q&A