This post originally appeared on FINOS.org and is modified for OpenSSF.
The Linux Foundation’s Open Source Security Foundation (OpenSSF) Secure Software Development Education 2024 Survey offers crucial insights that are particularly relevant to the financial services industry, including FINOS members such as sell-side banks, buy-side firms, and wealth managers. As these organizations increasingly rely on software to drive operations, the emphasis on secure software development becomes critical.
The report highlights areas where organizations from all industries, including financial institutions, can enhance their security practices to protect sensitive data, manage risk, prevent substantial financial losses, and maintain client trust.
KEY FINDINGS FOR FINANCIAL SERVICES
- Familiarity with Secure Practices: A significant 28% of professionals involved in software development report unfamiliarity with secure development practices. This figure jumps to 75% for those developers with less than one year of experience. This gap is particularly concerning for financial institutions, where software vulnerabilities can lead to data breaches, with severe financial and reputational damages. For sell-side banks and buy-side firms, addressing this knowledge gap is crucial to maintaining robust security frameworks.
- Reliance on On-the-Job Learning: Many professionals (69%) depend on on-the-job experience as their primary learning resource for secure software development, which can take over five years to achieve familiarity. This prolonged learning curve poses a risk for financial organizations that need to swiftly adapt to evolving security threats. Structured training programs are essential to ensure that financial services professionals are equipped to handle security challenges effectively.
- Emerging Security Concerns: AI and ML security (57%) and supply chain security (56%) are identified as critical areas for future focus. Financial firms, which increasingly leverage AI for trading algorithms and customer service, must prioritize these areas to mitigate risks associated with these technologies.
- Importance of Language-Agnostic Training: The report emphasizes the importance of language-agnostic courses, with 79% of respondents considering them highly important. Financial institutions should integrate such training into their development processes to ensure proficiency in secure coding practices across various programming languages.
AI AND SECURITY IN OPEN SOURCE FINANCE
AI and ML security are highlighted as critical areas for future innovation and attention. For the financial sector, which is rapidly adopting AI technologies, understanding and addressing AI-related security vulnerabilities is essential. Open source initiatives, foundational to many financial services applications, must incorporate robust AI security measures to protect the integrity of financial systems. This includes developing secure AI models, ensuring data privacy, and implementing rigorous testing protocols to identify and mitigate potential vulnerabilities.
IMPLICATIONS FOR THE FINOS COMMUNITY
For the broader FINOS open source community, these findings underscore the importance of integrating secure software development practices across all projects. Open source software plays a critical role in the financial services industry, and ensuring its security is vital to maintaining the trust and reliability of financial systems.
CALLS TO ACTION
- Invest in Training Programs: Financial institutions should invest in comprehensive training programs focused on secure software development. As a starting point, financial institutions should ensure all their software developers (current and onboarding) have taken a course on the fundamentals of developing secure software.
The OpenSSF offers a free course, “Developing Secure Software (LFD121),” which provides about two days of material on the fundamentals of secure software development. This online, on-demand course is highly rated by past participants and is an essential resource for improving software security. It can be accessed here. - Enhance Cross-Departmental Collaboration: Encourage collaboration among IT, security, and operational teams to foster a culture of security awareness and shared responsibility for software security.
- Leverage Open Source Resources: Utilize the educational materials and courses offered by FINOS, OpenSSF, The Linux Foundation, and other open source initiatives to enhance the security skills of development teams.
- Be Aware of Emerging Threats: Prioritize training and development efforts on emerging security concerns such as social engineering threats, AI and ML security, and supply chain vulnerabilities to stay vigilant.
- Join the FINOS AI Readiness SIG: FINOS members are encouraged to join the AI Readiness Special Interest Group (SIG) to collaborate on addressing AI-related security challenges. This group provides a platform for financial services firms to share insights, develop best practices, and enhance their AI security readiness.
- Attend the Open Source in Finance Forum (OSFF): We invite you to join OSFF on September 30th and October 1st, 2024, in New York. This event offers an opportunity to learn from security experts through talks such as “Unlocking Secure Open Supply Chains” by Emily Fox from Red Hat, “A Journey from Security Architecture to Straight-Through Provisioning” by Aldwin Saugere and Iva Nikolaeva from Morgan Stanley, and “Paying Maintainers to Improve Open Source Security Outcomes: A Case Study” by Donald Fischer from Tidelift.
- Attend the SOSS Community Day: Join us at the SOSS Community Day, a chance for members to share ideas and progress on securing open source software. Held regionally alongside Open Source Summits, these events were formerly known as OpenSSF Days, reflecting a broader interest in OSS security.
- SOSS Fusion Conference: The SOSS Fusion Conference is a premier event for open source professionals, featuring keynotes, workshops, and panel discussions. It’s a movement towards a secure digital future, bringing together industry leaders, cybersecurity experts, and technology innovators.
In collaboration with OpenSSF and FINOS, members can enhance their security frameworks, protect their assets, and maintain their clients’ trust. The findings from the OpenSSF report serve as a call to action for the financial services industry to prioritize secure software development as a crucial component of their operational strategy.