Improving the Contribution Experience for Regulated Industries

Watch more on the FINOS YouTube channel

Presented at Open Source In Finance Forum 2023 - NYC Presented by Philip Holleran - GitHub, Cara Delia - Red Hat, Kay XiongPachay - Goldman Sachs & Moderated by Rob Moffatt - FINOS Title: Improving the Contribution Experience for Regulated Industries Abstract: Open Source contribution policies within many regulated firms require internal approval of both the repositories to which developers can contribute, and each individual commit, before any code is pushed. The resulting contribution workflow, built either on paper processes or internal tooling, is often cumbersome for developers and OSPO managers. The OSPO team at GitHub is building a standardized process to improve the contribution workflow for firms that require manual approval of commits. In this talk we’ll discuss our approach, share what we’ve built so far, and discuss what’s next. Find more info about FINOS: On the web: https://www.finos.org/ Twitter: https://twitter.com/finosfoundation LinkedIn: https://www.linkedin.com/company/finosfoundation/ OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

OSFF 2023 NYC - Open Source Readiness - How To's + Security Track

Clear Search

  • Harmonization of SBOMs and its Continuous Monitoring - Zeal Somani & Andres Vega
    MP4

    Harmonization of SBOMs and its Continuous Monitoring - Zeal Somani & Andres Vega

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Zeal Somani - JupiterOne, Andres Vega - M42Title: Harmonization of SBOMs and its Continuous MonitoringAbstract: Software bundles constantly transition from developers to maintainers and ultimately to end users within the software supply chain. Additionally, they come under the scrutiny of policy makers and regulatory entities. To enhance their security, Software Bill of Materials (SBOMs) are increasingly recommended. However, the data captured by SBOMs represents a specific moment in time, and these SBOMs can vary in format. Multiple regulatory organizations, including CISA, ENISA, and ISO, advocate for the use of SBOMs. In this presentation, we will discuss the potential for harmonizing SBOM formats across various compliance frameworks in the financial sector.Slides can be found here: https://osff2023.sched.com/event/1PzGO/harmonization-of-sboms-and-its-continuous-monitoring-zeal-somani-jupiterone-andres-vega-m42Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

  • Improving the Contribution Experience for Regulated Industries
    MP4

    Improving the Contribution Experience for Regulated Industries

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Philip Holleran - GitHub, Cara Delia - Red Hat, Kay XiongPachay - Goldman Sachs & Moderated by Rob Moffatt - FINOSTitle: Improving the Contribution Experience for Regulated IndustriesAbstract: Open Source contribution policies within many regulated firms require internal approval of both the repositories to which developers can contribute, and each individual commit, before any code is pushed. The resulting contribution workflow, built either on paper processes or internal tooling, is often cumbersome for developers and OSPO managers. The OSPO team at GitHub is building a standardized process to improve the contribution workflow for firms that require manual approval of commits. In this talk we’ll discuss our approach, share what we’ve built so far, and discuss what’s next.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

  • Open Source and The New Era of Software Liability - Brian Fox, Sonatype
    MP4

    Open Source and The New Era of Software Liability - Brian Fox, Sonatype

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Brian Fox - SonatypeTitle: Open Source and The New Era of Software LiabilityAbstract: As the number of organized attackers whose sole focus is exploiting vulnerabilities in open source ecosystems continues to grow, governments around the world are making secure software development a CEO’s problem. When an automobile defect leads to injury, we expect the auto manufacturer to be liable. Software has so far avoided these sorts of controls, and blanket disclaimers of liability are a cornerstone of modern software licenses. But a slate of recent government regulations, strategy documents, and policies–including the EU Cyber Resilience Act, Executive Order (EO) 14028, and the National Cybersecurity Strategy–indicate this situation might soon change. These proposed regulations are calling for landmark actions to be taken by organizations, with compliance deadlines coming up fast. This talk will present an overview of what’s coming and how to prepare your business for the new era of software liability. We’ll explore global cybersecurity regulatory efforts, share guidance for compliance and maturing your process, and examine what these regulations mean for the future of open source software development.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

  • Best Practices in Open Source Risk Management - Rhys Arkins, Mend.io
    MP4

    Best Practices in Open Source Risk Management - Rhys Arkins, Mend.io

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Rhys Arkins - Mend.ioTitle: Best Practices in Open Source Risk ManagementAbstract: Assessing risk in Open Source dependency use can make any security lead sweat. Projects which rarely update dependencies will be the slowest to react and remediate so-called ""log4j incidents"", which is often referred to as ""security debt"". Meanwhile, the risk of malicious code introduction or account takeovers in Open Source packages is not insignificant, so those who live on the cutting edge of latest versions may also be at increased risk from another angle. How can companies - especially those in highly-regulated industries like Finance - provide sensible guidance to software teams which optimizes their risk? This presentation will address the challenge from both angles - how much more at risk are projects when they fall behind in dependencies, plus how much risk is there from malicious code in Open Source? Rhys Arkins will deliver this perspective as someone responsible within Mend.io for both dependency automation solutions as well as supply chain security - scanning for malicious releases in near real-time.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

  • Learned Helplessness and OSS – Brittany Erica Istenes, Fannie Mae & Cara Delia, Red Hat
    MP4

    Learned Helplessness and OSS – Brittany Erica Istenes, Fannie Mae & Cara Delia, Red Hat

    Presented at Open Source In Finance Forum 2023 – NYCPresented by Brittany Erica Istenes – Fannie Mae & Cara Delia – Red HatTitle: Learned Helplessness and OSS – How to Avoid this Through Bridging the Gap Between Strategy, Community and Technical CultureAbstract: When working within highly regulated enterprises, open source software consumption and contribution processes can be challenging. Many times within the technical culture space, there are perceived roadblocks that can get in the way of development which has unintended consequences. One of these being that the technologists do not know how to access their dependencies, resolve vulnerabilities and even upgrade specific package versions which then in turn springs off a line of support tickets for team members that are not familiar with OSS and slows down innovations. This can be a deterrent for many engineers and sometimes they just give up and follow the ticketing route. This talk is designed to show enterprises how to avoid this slow down through building a strong open source strategy and leverage Special Interest Groups. We will break down personas, maturity models, solutions, direct impact examples and how this work is also integrated within open source readiness SIG here at FINOS.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

OSFF 2023 NYC - Open Source Readiness - How To's + Security Track

Clear Search

    Harmonization of SBOMs and its Continuous Monitoring - Zeal Somani & Andres Vega

    Harmonization of SBOMs and its Continuous Monitoring - Zeal Somani & Andres Vega
    MP4

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Zeal Somani - JupiterOne, Andres Vega - M42Title: Harmonization of SBOMs and its Continuous MonitoringAbstract: Software bundles constantly transition from developers to maintainers and ultimately to end users within the software supply chain. Additionally, they come under the scrutiny of policy makers and regulatory entities. To enhance their security, Software Bill of Materials (SBOMs) are increasingly recommended. However, the data captured by SBOMs represents a specific moment in time, and these SBOMs can vary in format. Multiple regulatory organizations, including CISA, ENISA, and ISO, advocate for the use of SBOMs. In this presentation, we will discuss the potential for harmonizing SBOM formats across various compliance frameworks in the financial sector.Slides can be found here: https://osff2023.sched.com/event/1PzGO/harmonization-of-sboms-and-its-continuous-monitoring-zeal-somani-jupiterone-andres-vega-m42Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

    Improving the Contribution Experience for Regulated Industries

    Improving the Contribution Experience for Regulated Industries
    MP4

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Philip Holleran - GitHub, Cara Delia - Red Hat, Kay XiongPachay - Goldman Sachs & Moderated by Rob Moffatt - FINOSTitle: Improving the Contribution Experience for Regulated IndustriesAbstract: Open Source contribution policies within many regulated firms require internal approval of both the repositories to which developers can contribute, and each individual commit, before any code is pushed. The resulting contribution workflow, built either on paper processes or internal tooling, is often cumbersome for developers and OSPO managers. The OSPO team at GitHub is building a standardized process to improve the contribution workflow for firms that require manual approval of commits. In this talk we’ll discuss our approach, share what we’ve built so far, and discuss what’s next.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

    Open Source and The New Era of Software Liability - Brian Fox, Sonatype

    Open Source and The New Era of Software Liability - Brian Fox, Sonatype
    MP4

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Brian Fox - SonatypeTitle: Open Source and The New Era of Software LiabilityAbstract: As the number of organized attackers whose sole focus is exploiting vulnerabilities in open source ecosystems continues to grow, governments around the world are making secure software development a CEO’s problem. When an automobile defect leads to injury, we expect the auto manufacturer to be liable. Software has so far avoided these sorts of controls, and blanket disclaimers of liability are a cornerstone of modern software licenses. But a slate of recent government regulations, strategy documents, and policies–including the EU Cyber Resilience Act, Executive Order (EO) 14028, and the National Cybersecurity Strategy–indicate this situation might soon change. These proposed regulations are calling for landmark actions to be taken by organizations, with compliance deadlines coming up fast. This talk will present an overview of what’s coming and how to prepare your business for the new era of software liability. We’ll explore global cybersecurity regulatory efforts, share guidance for compliance and maturing your process, and examine what these regulations mean for the future of open source software development.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

    Best Practices in Open Source Risk Management - Rhys Arkins, Mend.io

    Best Practices in Open Source Risk Management - Rhys Arkins, Mend.io
    MP4

    Presented at Open Source In Finance Forum 2023 - NYCPresented by Rhys Arkins - Mend.ioTitle: Best Practices in Open Source Risk ManagementAbstract: Assessing risk in Open Source dependency use can make any security lead sweat. Projects which rarely update dependencies will be the slowest to react and remediate so-called ""log4j incidents"", which is often referred to as ""security debt"". Meanwhile, the risk of malicious code introduction or account takeovers in Open Source packages is not insignificant, so those who live on the cutting edge of latest versions may also be at increased risk from another angle. How can companies - especially those in highly-regulated industries like Finance - provide sensible guidance to software teams which optimizes their risk? This presentation will address the challenge from both angles - how much more at risk are projects when they fall behind in dependencies, plus how much risk is there from malicious code in Open Source? Rhys Arkins will deliver this perspective as someone responsible within Mend.io for both dependency automation solutions as well as supply chain security - scanning for malicious releases in near real-time.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/

    Learned Helplessness and OSS – Brittany Erica Istenes, Fannie Mae & Cara Delia, Red Hat

    Learned Helplessness and OSS – Brittany Erica Istenes, Fannie Mae & Cara Delia, Red Hat
    MP4

    Presented at Open Source In Finance Forum 2023 – NYCPresented by Brittany Erica Istenes – Fannie Mae & Cara Delia – Red HatTitle: Learned Helplessness and OSS – How to Avoid this Through Bridging the Gap Between Strategy, Community and Technical CultureAbstract: When working within highly regulated enterprises, open source software consumption and contribution processes can be challenging. Many times within the technical culture space, there are perceived roadblocks that can get in the way of development which has unintended consequences. One of these being that the technologists do not know how to access their dependencies, resolve vulnerabilities and even upgrade specific package versions which then in turn springs off a line of support tickets for team members that are not familiar with OSS and slows down innovations. This can be a deterrent for many engineers and sometimes they just give up and follow the ticketing route. This talk is designed to show enterprises how to avoid this slow down through building a strong open source strategy and leverage Special Interest Groups. We will break down personas, maturity models, solutions, direct impact examples and how this work is also integrated within open source readiness SIG here at FINOS.Find more info about FINOS:On the web: https://www.finos.org/Twitter: https://twitter.com/finosfoundationLinkedIn: https://www.linkedin.com/company/finosfoundation/OSFF NYC: https://events.linuxfoundation.org/open-source-finance-forum-new-york/