2020 FinConDX Virtual Summit 9:00 a.m. – 4:00 p.m. EST
What the Financial Services Industry Can Learn About Speed and Security From High Performance Open Source Development
With 40 million developers, 300,000 of open source projects, 500 billion open source package downloads annually -- what could go wrong? Or better yet, what could we get more right? As the financial services industry relies more and more on open source to innovate, it’s crucial to answer these questions. In a two year long collaboration with Gene Kim and Dr. Stephen Magill, we objectively examined and empirically documented software release patterns and cybersecurity hygiene practices across 30,000 commercial development teams and open source projects. At the heart of our endeavor we looked at: what attributes can we use to identify the best open source project behaviors, what behaviors have been adopted by the best development teams relying on those projects, and what practices would produce the best security and productivity outcomes. From yuan to the euro, everyone has security requirements. The players in the global financial services industry may differ in currency units, but share a common goal: software security. In 2017, it took three days for adversaires to exploit new vulnerabilities discovered in open source components resulting in the infamous Equifax breach. Since then, companies have made significant investments to not become the “next Equifax”. Eager to identify their next attack vector, adversary strategies have shifted ‘upstream’ to next generation software supply chain attacks where they can infect a single component that can be quickly distributed ‘downstream’ to hundreds or millions of unsuspecting developers. Their exploits are now achieved in seconds. In this session, we’ll share the practices and outcomes we discovered that differentiate the low performers from the peak performers. You’ll understand how open source projects with 1.5x more frequent releases and 530x faster open source dependencies upgrades harness this speed to dramatically improve security within their code. You will also learn how high performance enterprise software development teams at some of the largest financial institutions are simultaneously boosting productivity and security - achieving 15x faster deployments and 26x faster remediation of application security vulnerabilities. Finally, I’ll shed light on how we can all apply these exemplary practices to stay a step (or more) ahead of our adversaries. Don’t be afraid to upgrade your perspectives on application security and be sure to join this session.