Skip to main content

OSR Roundtable at OSFF Oct 2024

Vishwanath Gorti

Vishwanath Gorti - Deutsche Bank

Vishwanath Gorti (Deutsche Bank) at Open Source in Finance Forum Open Source Readiness Roundtable October 2024.

Open-Source Readiness (OSR) Roundtable at OSFF 2024 focused on several pressing topics, on the high-level Cost of Forks, going over results of the new OSMM (Open Source Maturity Model) Checklist Survey and on Inner Sourcing. This event brought together industry leaders, security experts, and developers to discuss key challenges and strategies for fostering OSS readiness. The OSR Roundtable provided a platform for in-depth discussions on how FSIs can better manage, secure and contribute to the open-source projects they depend on, with a focus on enhancing governance, security and cultural readiness.

OSS Governance and Compliance:

  • Open Source Polices: Establishing comprehensive governance frameworks for managing OSS within organizations was a priority. Discussions focused on ensuring compliance with licensing regulations, reducing the legal and operational risks of open-source use and defining clear policies for contribution and code usage.
  • Licensing Issues: FSIs need robust process to handle the legal complexities of open-source licenses, discussed on best practices for selecting and managing licenses, handling proprietary code integration, and mitigating risks related to licensing violations.

Open-Source Maturity:

  • Open-Source Maturity Model (OSMM): Participants explored the OSMM, a tool designed to help organizations assess their level of open-source maturity. The model provides insights into area such as organizational culture, policy development and resource allocation. By using this framework, institutions can gauge their progress and identify areas needing future development to fully benefits from OSS.
  • Cultural Shift: There was a strong emphasis on the cultural aspects of open-source adoption. Successful OSS integration requires a shift towards collaboration, transparency, and community participation. Strategies for fostering an open- source mindset within traditionally conservative financial institutions were discussed.

Supply Chain Security:

  • OSS Security Practices: Securing the software supply chain remains a major concern. The roundtable examined how financial institutions can contribute to, and benefit from, initiatives like the Open-Source Security Foundation (OpenSSF). Topic covered included ensuring code quality in OSS dependencies, vulnerability management, and implementing tools like Software Bill of Materials (SBOM) to track and secure code bases.
  • Log4Shell and Beyond: Recent high-profile vulnerabilities like Log4Shell have exposed the risks of using widely adopted open-source libraries. The discussion highlighted proactive measure FSIs can take to detect, migrate, and respond to such incidents through better OSS management and collaboration with broader open-source security communities.

Contributing to OSS Projects:

  • Encouraging Contributions: One of the key topics was how FSIs can move from passive consumers of OSS to active contributors. While many institutions use open-source, few contribute to projects. The roundtable focused on the value of contributing to major projects like FINOSS and OpenJS both to improve the software they rely on and to influence the direction of future development.
  • Incentivizing Internal Developers: Another challenge discussed was incentivizing internal teams to contribute to OSS. Many organizations struggle to balance internal development work with contributions to external OSS projects. Solutions included recognizing contributions through performance evaluations and creating dedicated open-source contribution programs.

Building a Sustainable OSS Ecosystem:

  • Sustainability Models: Financial institutions are increasingly recognizing the importance of ensuring the long-term sustainability of key OSS projects. Discussions revolved around funding models, such as corporate sponsorships or public-private partnerships, to ensure that critical OSS tools used in finance remain well maintained and secure.
  • Collaboration Across Industries: Collaboration between FSI, tech companies, and regulatory bodies was seen as essential for creating a thriving open-source ecosystem. The roundtable stressed the need for open communication and joint efforts to address shared challenges in OSS adoption and security.

OSMM

Major focal areas are on Open-Source Maturity Model (OSMM) & Innersourcing are crucial frameworks for increasing organizational readiness, fostering collaboration and managing the risks associated with OSS adoption.

The Open-Source Maturity Model (OSMM) developed by FINOS as part of the Open-Source Readiness (OSR) initiative, is a strategic tool designed to assess an organization’s preparedness to adopt and manage OSS effectively. The OSMM evaluates, including culture, policies, and technical practices, to provide a roadmap for improving open-source readiness.

Key elements of OSMM:

  • Governance and Policy Maturity: Organizations are assessed on how well they have developed clear policies regarding the use of open-source software, including processes for reviewing, approving, and auditing OSS. This includes ensuring compliance with licenses and regulations., as well as understanding the legal implications of OSS use.
  • Cultural Maturity: One of the most critical aspects of the OSMM is fostering an open-source culture within traditionally closed environments like financial institutions. This includes encouraging collaboration; transparency and a mindset shift toward sharing and contributing to external projects.
  • Technical Maturity: The model evaluates how well an organization manages technical practices around open-source adoption, including the use of secure coding practices, managing OSS dependencies and integrating open-source tools with proprietary systems. Stages of Maturity: Organizations are ranked on a maturity scale, ranging from Reactive (organization that are just beginning to use OSS) to Proactive (organizations that actively contribute to OSS projects, have mature policies and are deeply embedded in the open-source community). At the Optimized stage, companies have fully integrated open-source practices into their operations and influence the direction of OSS projects they depend on.

Benefits of OSMM Adoption:

  • Risk Mitigation: By following the OSMM, organizations can identify potential legal, security and operational risks early on and implement strategies to mitigate them.
  • Improved Collaboration: Organizations at higher maturity levels contribute more actively to OSS projects, influencing development in ways that benefit their business.
  • Regulatory Compliance: The model helps institutions navigate the complex regulatory environment surrounding OSS, particularly in heavily regulated industries like finance.

InnerSource

Innersourcing is another key concept that was explored at OSFF 2024, building on the principles of open source but applied within an organization’s internal structure. Innersourcing refers to the practice of applying open-source methodologies, such as open collaboration, shared repositories, and peer review to internal development projects. This practice helps large, traditionally siloed organizations, such as financial institutions, become more agile and innovative by breaking down barriers between internal teams.

Key Elements of Innersourcing:

  • Internal Collaboration: Innersourcing enables teams within an organization to collaborate more freely, using open-source-style repositories such as GitHub, GitLab where developers can chare code, suggest improvements and contribute across different departments. This leads to faster innovation and problem-solving since employees are not restricted to their designated project teams.
  • Sustainability Models: Financial institutions are increasingly recognizing the importance of ensuring the long-term sustainability of key OSS projects. Discussions revolved around funding models, such as corporate sponsorships or public-private partnerships, to ensure that critical OSS tools used in finance remain well maintained and secure. Collaboration Across Industries: Collaboration between FSI, tech companies, and regulatory bodies was seen as essential for creating a thriving open-source ecosystem. The roundtable stressed the need for open communication and joint efforts to address shared challenges in OSS adoption and security.
  • Transparency: Just like in open-source projects, innersourcing promotes transparency by making code and project details visible to all employees. This is visibility helps to avoid duplicated efforts and allows other teams to reuse or improve existing code. Cross-Departmental Innovation: One of the benefits of innersourcing is that it opens up the development process to contributors across the organization, leading to more innovative solutions. Developers from different departments or business units can provide fresh perspectives so solving technical challenges. Innersourcing Tools and Practices: The discussions highlighted several tools and practices for successful innersourcing, including the use of internal wikis, open communication channels (like Slack), and CI/CD pipelines that enable continuous integration and feedback.

Benefits of Innersourcing:

  • Enhanced Efficiency: By breaking down silos, organizations can reuse internal code more effectively, avoiding duplication of efforts across different departments.
  • Talent Engagement: Innersourcing allows developers to work on a broader range of projects, increasing job satisfaction and encouraging employees to develop new skills.
  • Fostering an Open-Source Culture: Innersourcing is often seen as a steppingstone toward full participation in external open-source communities. It helps build an internal culture of sharing and collaboration, which is critical for organizations aiming to contribute to major OSS projects.

Elsewhere At OSFF

At OSFF NYC 2024, several open-source compliance and security tools were showcased, including Compliance Cow and GitProxy, both designed to address critical challenges in managing open-source software in financial services and other highly regulated industries.

Compliance Cow

  • Compliance Cow is an open-source tool designed to automate and simplify the process of ensuring compliance with open-source licenses and organizational policies. It helps organizations maintain visibility over their software dependencies and verify that they adhere to legal and policy requirements. The tool is particularly useful for industries like finance, where compliance with strict regulatory standards is crucial. Key features include:
  • License Tracking and Enforcement: Compliance Cow can scan software repositories to detect and validate open-source licenses, ensuring that the right licenses are used and that no incompatible licenses are inadvertently introduced into the codebase.
  • Automated Compliance Audits: The tool enables continuous compliance monitoring by automatically scanning code during the development lifecycle and flagging any non-compliant or risky components.
  • Integration with CI/CD Pipelines: It integrates seamlessly into CI/CD workflows, allowing teams to address compliance issues early in the software development process, avoiding costly remediation later on

By offering automated checks and a detailed view of OSS license obligations, Compliance Cow allows financial institutions to confidently use and contribute to open-source software while ensuring they remain compliant with legal and regulatory frameworks.

GitProxy

GitProxy is another open-source security tool introduced at the forum, designed to provide secure access to open-source repositories in a controlled and compliant manner. GitProxy acts as a security layer between internal corporate networks and external Git repositories (e.g., GitHub, GitLab), protecting organizations from potential security risks associated with pulling unvetted or malicious code from public repositories.

  • Secure Repository Access: GitProxy allows organizations to manage which external Git repositories their developers can access, ensuring that all code pulled into the organization meets security and compliance standards.
  • Code Vetting and Whitelisting: It can be configured to vet code from open-source repositories, automatically rejecting or flagging repositories that don’t meet certain security criteria or are from unknown sources.
  • Audit Trails and Compliance Logging: GitProxy provides detailed audit trails of repository access and code downloads, ensuring that all open- source usage is logged for compliance purposes. This feature is especially important for regulatory reporting and audit requirements. Integration with Internal Policies: It enforces organizational policies on open-source contributions, ensuring that only approved code is pushed to public repositories from the company’s developers

Reference Links: