Codebase Risk
Open source software may have hidden costs, such as maintenance, support, security, and compliance. Users and contributors need to be aware of the total cost of ownership and the implications of using different licenses.
Open source software may have hidden costs, such as maintenance, support, security, and compliance. Users and contributors need to be aware of the total cost of ownership and the implications of using different licenses.
Data leakage risk refers to the potential for sensitive or confidential information to be unintentionally or maliciously disclosed outside of an organization, leading to potential harm to the organization's reputation, finances, or legal standing.
Software dependency risk refers to the potential negative consequences of relying on external software components that can compromise the security, performance, quality or functionality of an organization's software systems.
Strategic risk refers to the potential for adverse outcomes resulting from decisions made by an organization's leadership regarding its long-term goals, objectives, and competitive position.
Development staff within the firms Information Technology (IT) departments are responsible for designing, coding, and testing software applications.
When people think about open source, most often they think about the engineering aspects: contributing or consuming code. But community and culture are a central part of the open source world and should not be overlooked.
THIS IS A PLACEHOLDER
Public Development
Incubating an open source project within a foundation offers numerous benefits which includes increased visibility, community support, and access to resources that can propel your project to new heights.
We currently live in a world where OSS is everywhere, consumable, helpful and can make a positive or negative outcome on the programs we rely on. Strong open source projects can lessen technical debt, increase reusability and discoverability. For the purpose of this guide, we will cover some key principles and practices for managing your open source project effectively.
This article serves as a guide to joining FINOS or another foundation.
This guide is intended to help OSPOs of all maturity levels build an open source training course that is created with purpose to deliver impact. Whether your OSPO recently launched or is looking into re-doing the firms open source training, this guide will provide ideas and content that can be implemented to a comprehensive open source training course.
This article describes the importance of interacting with open source foundations, the roles they perform and ways in which your organisation can make the most of them.
There are several key points that a large enterprise should consider to ensure compliance with open-source license obligations:
In this article we are going to look at the growing issue of software supply chain attacks via some examples and then look at the emerging field of open source supply chain security: what it is, current best practices, the institutional landscape and emerging legislation.
Software inventory is a precondition to most of the activities involved in OSMM level 2. The first step to licence compliance or supply chain security is to understand what software is in your estate.
Using open source software within a financial services organisation poses unique challenges. This article outlines some of the potential pitfalls and solutions when getting started.
The FINOS / TODO Financial Services Open Source Developer exam is designed for developers contributing to open source projects whilst working in financial institutions internationally.
This module covers important topics for working most effectively with upstream open source projects. This content resides within the ‘Contribute’ section of the open source framework. Understanding these concepts is critical for developers, as these form the basis for productive and streamlined work with open source projects. Being able to effectively utilize these concepts gives developers & engineering managers the necessary background and information to not only get the most value from their open source engagement but also to understand how to effectively work with upstream open source projects.
This course is for everyone involved or looking to become involved in open source software communities.
Learn the security basics to develop software that is hardened against attacks, and understand how you can reduce the damage and speed the response when a vulnerability is exploited. Thanks to the involvement of OpenSSF, a cross-industry collaboration that brings together leaders to improve the security of open source software by building a broader community, targeted initiatives, and best practices, this course provides specific tips on how to use and develop open source and other software securely.
This course is designed for developers looking to contribute to open source software in the financial industry.
This module covers open source best practices for development and governance. This content resides within the ‘Strategy & Governance’ section of the open source framework. These elements provide developers a common understanding of important development practices in all areas of open source. Being able to effectively utilize these concepts gives learners the foundation to develop, test, and participate in the open source software community.
For a financial services firm, the importance of hosting an artifact repository manager such as JFrog Artifactory or Sonatype's Nexus inside the firm's firewall cannot be overstated.
This article explains the concept of the Contributor License Agreement (CLA) and Developer Certificate of Origin (DCO) and the practical implications of these for organisations consuming and contributing to open source.
CVEs (Common Vulnerabilities and Exposures) are standardized identifiers for publicly known cybersecurity vulnerabilities which can be leveraged in exploits. The MITRE Corporation manages the CVE program, which receives funding from the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA).
This article looks at Data Loss Prevention (DLP) software commonly used in financial organisations and how these impact open source consumption and contribution. It is not a complete reference for the subject of DLP generally, but should act as a starting point for understanding the issues involved.
This article discusses the main types of intellectual property and their application to open source within financial services.
An open source policy is a set of guidelines that outlines how an organization will consume, contribute to, and create open source software. It defines the rules that govern the use, distribution, and licensing of open source software within the organization. It establishes processes for evaluating open source software, managing the risks associated with its use, and ensuring compliance with legal and ethical requirements.
Article covering source and artifact repositories.
An SBOM, or Software Bill of Materials, is a list of all the components, libraries, and dependencies used in a software project, along with their associated version numbers and license information. There are two different SBOM formats:
This article provides some basic framing around the purpose of licenses within open source.