Financial services depend on open source software. From payments to trading systems to fraud detection, open source accelerates innovation and lowers costs. This also means financial institutions need confidence that the software they rely on is secure.
OpenSSF Sponsors OSFF NYC
OpenSSF was a proud sponsor of the Open Source in Finance Forum. Sponsorship is not just financial support. It is a commitment to industry collaboration. Our members include financial institutions, technology providers, regulators, and maintainers. OSFF brings these groups together to move from cybersecurity challenges to practical shared solutions.
By sponsoring OSFF, OpenSSF is helping:
- Put open source security on the main stage for financial services
- Connect maintainers with the organizations that rely on their work
- Ensure critical conversations include the people who build the code
Below are highlights from the three OpenSSF authored talks featured at OSFF.
Securing the Future of Open Source AI: A Holistic Approach
Presented by: Jamie Thomas, IBM
Open source drives AI innovation
80–90% of modern software supply chains are open source, including 71% of AI components, making OSS the foundation of enterprise AI.
The threat landscape is changing
- Major supply chain vulnerabilities (SolarWinds, Log4j, XZ) show how quickly attacks evolve.
- Identity-based intrusions now account for 30% of attacks in finance.
AI introduces new categories of cyber risk
- Malware hidden inside model weights
- Licensing and compliance uncertainty
- Poisoned training data altering safety or outcomes
- Ethical and governance blind spots
OpenSSF is leading proactive defense
Jamie outlined how we are securing AI from dev to deployment:
- Model signing v1.0 for integrity verification
- MLSecOps frameworks for the full AI lifecycle
- Tooling like OpenSSF Scorecard, OSV, GUAC for transparency
- Policy engagement across the US and EU
- Education including cybersecurity skills development
She closed with a clear Call to Action: the financial sector must shape AI security standards early to avoid compounding risks later.
To learn more: watch the Cybersecurity Skills Framework Webinar and download the slides from her presentation at OSFF: https://sched.co/28S3c
All About That Base[line]: Charting a Path for Secure Open Source Projects
Presented by: Stephen Augustus, Bloomberg + Michael Lieberman, Kusari
Financial institutions need open source security they can prove.
The Open Source Project Security (OSPS) Baseline gives teams a simple, auditable checklist aligned to NIST guidance, the EU Cyber Resilience Act, and several other external frameworks.
In New York, Stephen and Michael showed how the OSPS Baseline meets the needs of fintech and financial services:
- Simplifies third party and open source risk management with clear, declared project practices
- Improves audit readiness through mappings to familiar control frameworks and policies
- Enables continuous validation with automation friendly controls and tooling
- Speeds vendor and dependency reviews by giving security, legal, and engineering a shared language
- Reduces supply chain exposure with documented provenance, protected CI, and signed releases
Attendees saw how better alignment between maintainers and downstream users builds a more trustworthy software ecosystem that reduces operational risk and supports regulatory confidence.
Learn more about the OSPS Baseline
Communications Very Erratic (CVE): Stabilizing Vulnerability Data for Downstream
Presented by: Christopher “CRob” Robinson, OpenSSF
Uncertainty surrounding the continuity of CVE and NVD has created major disruption in vulnerability data pipelines. For financial services, this is more than operational pain. It is a real cyber risk.
CRob provided the history behind the issue and a path forward:
- How gaps in vulnerability metadata disrupt enterprise risk management
- The role of the open source community in stabilizing the data supply chain
- What financial institutions can do right now to maintain continuity
- Why collaboration is essential to global defense
Attendees gained clarity on how to stay prepared during a period of transition. To learn more about this talk, check out the FINOS Podcast.
Continue the Conversation
Financial services are at a pivotal moment. The sector’s dependence on open source continues to grow, and so does the responsibility to secure the systems customers count on every day. FINOS and the OpenSSF community share a clear mission: strengthen the foundations of open source so innovation in finance can move faster, operate with greater confidence, and meet rising regulatory demands. By continuing to collaborate on standards, tooling, education, and shared best practices, we can reduce systemic risk while advancing a more trustworthy software ecosystem for the entire financial industry.
We look forward to continuing this work together. Join us and meet the community next at Open Source SecurityCon on November 10, 2025. In the meantime, you can explore the full OSFF presentations here:
Watch the presentations
https://www.finos.org/osff-nyc-2025-videos
Check out the event photos
https://www.flickr.com/photos/linuxfoundation/54875543358/in/album-72177720329865124/