Why Financial Institutions Need to Double Their Open Source Investments
After the trio of Log4J vulnerability and the more recent compromise of two open source libraries in the NPM ecosystem and one in Spring Core, supply chain security weighs heavily on the minds of cyber defenders. As the financial services industry has strengthened its cyber defenses compared to other industries and has become an early adopter of zero-trust security, institutions must continue to embrace open source technology while actively engaging in risk mitigation.
With so many fundamental components of the global technology stack coming from open source code repositories like GitHub, recent exploits have heightened fears that this open ecosystem is inherently vulnerable to attack. This is especially true given the financial industry‘s embrace of open source, as seen in Goldman Sachs’ contribution to source code for several of its data modules as open source in 2020.
Protect open source environments
First, financial institutions need to take a more active role in funding open source foundations and direct grants to maintainers to help limit exposures to critical code dependencies, as the Log4Shell debacle illustrates. To that end, public-private partnerships will be vital for financial institutions looking to strengthen their open source security postures. Addressing the DevSecOps inherent in the open source ecosystem requires a financial and strategic commitment from institutions willing to support the entire spectrum of open source maintainers – not just the Apache Software Foundations of this world. Projects like the OpenSSF Alpha-Omega initiative are an excellent example of this approach.
Financial institutions must also adopt a more robust software bill of materials (SBOM), a key point highlighted in President Biden’s executive order last June. Modern SBOMs deploy machine-readable processing, a technology that allows systems to ingest incoming structured report data, to autonomously analyze SBOM readiness by organizations around the world. SBOMs can thus help financial institutions quickly identify patterns within their industry and across borders, helping them spot critical risk issues before they metastasize into larger problems.
A table stakes strategy for financial institutions to mitigate open source risks on the consumer side includes implementing internal controls and stronger licensing and intellectual property tools to track and monitor incoming open source projects. More granular strategic solutions start with financial institutions taking the time to understand the advocates who are focused on securing the open source domain. Organizations like WhiteSource, Sonatype and Synk are key players in this world.
The broader sustainability of the open source ecosystem is another reason financial institutions are taking a more hands-on role in developing code repositories and other active-source artifacts. Institutions should consider offering secure coding training as part of their onboarding, which is too often overlooked in academic curricula.
Encouraging in-house developers to contribute to the ecosystem will increase the number of eyes on open source artifacts, increasing the chances that financial institutions will be able to spot code vulnerabilities before they threaten a SolarWinds-like breach. . This approach will effectively reduce the likelihood and reach of future vulnerabilities.
The benefits of open source outweigh the risks
Despite recent and disturbing supply chain attacks, financial institutions should not be discouraged by these challenges. The global financial industry is now democratizing software in earnest through open source, not just as a cost-saver, but as a powerful collaboration model that goes beyond code to be used to address challenges like as data standardization and industry-wide interoperable workflows. Open source is here to stay, and so it’s no longer optional – it’s imperative that CIOs have a mature, open source engagement strategy, through consumption, contribution and funding as a pillar of their efforts of digital transformation.
Institutions do more than just implement code that another developer has updated. Finance organizations should seek to invest internal development resources to actively contribute to code repositories. Developers should contribute code not just in their spare time, but more appropriately while they are at work within the expected scope of their organizational roles.
By taking an exclusive stake in the open innovation ecosystem, financial institutions can better mitigate vulnerabilities and exposures emanating from their technology stacks. This type of risk management also requires the articulation of enterprise-wide policies, learning, and collaborative resources. Naturally, financial institutions must delegate and establish leadership roles to oversee the effort.
Whether through open source foundations or direct cash or equity contributions to projects, financial institutions need to realize the importance of professional software supply chain management. They must also understand the roles consumers must play in securing the open source computing stack, which underpins the modern digital economy.