Mend Enables FINOS to Achieve Full Control and Visibility
Building the backbone of open source development for the finance industry
Building the backbone of open source development for the finance industry
The Fintech Open Source Foundation (FINOS) is an independent nonprofit organization that accelerates collaboration and innovation in financial services through the adoption of open source software, standards, and best practices. FINOS was founded by the world’s largest financial services and tech firms to collaborate on a wide range of open-source projects. Key areas of innovation include data visualization, cloud services, data integration, and desktop integrations.
FINOS offers an Open Developer Platform (ODP) to all its open source contributors, providing a compliant open source development process. The foundation’s OSS Projects are Apache 2.0 licensed and available on GitHub.
The goal of FINOS is to promote the use of open source in Fintech. Because financial institutions are among the most highly regulated of industries, they have a reputation for being slow to change. Financial institutions generally are underpinned by legacy systems, and keeping their customers’ information secure is a top priority. As a result, they tend to be late adopters when it comes to embracing new technologies.
However, as banks continue to evolve into software companies with investment strategies, relying solely on home-grown technology is becoming increasingly expensive and ultimately unsustainable. Most banks have steadily replaced expensive-to-maintain proprietary pieces of their IT infrastructure with open source components.
FINOS’s members understand the need for innovation. To meet the demand for new technologies and applications, they invested heavily in building their Open Developer Platform. ODP provides a best-of-breed open source collaborative development experience, while releasing financial services grade open source software.
Our responsibility is to avoid — at any cost — the release of known vulnerabilities. Our wish is to spot issues as soon as possible in the development workflow.
Security was a huge concern when promoting ODP. In addition to customer financial data, financial institutions house a wealth of information that would be disastrous should a breach occur. FINOS’s members needed to be confident their open source components had no known vulnerabilities and were compliant with license policies. While security was the primary concern, FINOS also didn’t want to slow down their developers’ ability to innovate. To solve this problem, the foundation partnered with Mend to be the gatekeepers of their open source ecosystem.
FINOS chose Mend to manage the open source licenses and security vulnerabilities in their open source projects. With Mend, FINOS can create policies around license compliance, security vulnerabilities, and quality issues that are automatically enforced. This ensures that all committed code meets FINOS’s high standards of code quality.
“The ability to set and enforce strict policies is a top priority for the foundation and our security conscious community,” says Maurizio Pillitu, Director of DevOps at FINOS. “As a part of the deployment process for Mend’s platform, we were able to define which levels of threat severity were unacceptable before committing to the ODP.” He was also able to define the licenses that meet the specifications from his users’ legal teams.
Code that is not up to FINOS’s standards is blocked, and any attempt by a developer to commit vulnerable code results in the build being failed. “Our responsibility is to avoid — at any cost — the release of known vulnerabilities. Our wish is to spot issues as soon as possible in the development workflow, such as a build failure if Mend policies are violated,” says Pillitu, explaining that this is an important feature for their users to develop with confidence.
The ability to set and enforce strict policies is a top priority for the foundation and our security conscious community. As a part of the deployment process for Mend’s platform, we were able to define which levels of threat severity were unacceptable.
This extra security does not mean slowing down their workflow. In fact, using Mend speeds up the process. “Before moving to Mend, the contribution process included a code validation step prior to the final code transfer. Given the wide amount of languages and ecosystem, the process was manual and quite time consuming, especially with the quick growth of our project portfolio,” says Pillitu. With Mend, this process is automated, saving significant time for developers.
Mend automatically does all of the heavy lifting behind the scenes, never interfering with FINOS’s agile development process.
“The ODP should never be the bottleneck in our users’ development process,” says Pillitu on how the platform gives his team a greater degree of self governance to keep their focus on the development. “They should be self-sufficient. That’s why the product approver of Mend is the project leader itself.”
FINOS’s inclusion of Mend as the security solution for their platform is paying off. Pillitu says he is seeing significant buy-in from the financial industry. He points to their extensive list of platinum members and the growing number of organizations signing the Contributor License Agreement, which allows financial institutions to take part in the initiative.
“The Fintech Open Source Foundation collects license agreements from a wide variety of financial services and technology companies and therefore it is the place where this collaboration can happen,” says Pillitu. “It provides a safe, neutral environment to work together.”
Partnering with Mend has made it possible for FINOS to become the new hub for innovation in financial services, paving the way for faster, more efficient, and secure development.
Moreover, he states that he is seeing more members contributing their code to the ODP, which he takes as a sign of confidence from his user base.
Partnering with Mend has made it possible for FINOS to become the new hub for innovation in financial services, paving the way for faster, more efficient, and secure development.
The goal of FINOS is to promote the use of open source in Fintech. Because financial institutions are among the most highly regulated of industries, they have a reputation for being slow to change. Financial institutions generally are underpinned by legacy systems, and keeping their customers’ information secure is a top priority. As a result, they tend to be late adopters when it comes to embracing new technologies.
However, as banks continue to evolve into software companies with investment strategies, relying solely on home-grown technology is becoming increasingly expensive and ultimately unsustainable. Most banks have steadily replaced expensive-to-maintain proprietary pieces of their IT infrastructure with open source components.
FINOS’s members understand the need for innovation. To meet the demand for new technologies and applications, they invested heavily in building their Open Developer Platform. ODP provides a best-of-breed open source collaborative development experience, while releasing financial services grade open source software.
Our responsibility is to avoid — at any cost — the release of known vulnerabilities. Our wish is to spot issues as soon as possible in the development workflow.
Security was a huge concern when promoting ODP. In addition to customer financial data, financial institutions house a wealth of information that would be disastrous should a breach occur. FINOS’s members needed to be confident their open source components had no known vulnerabilities and were compliant with license policies. While security was the primary concern, FINOS also didn’t want to slow down their developers’ ability to innovate. To solve this problem, the foundation partnered with Mend to be the gatekeepers of their open source ecosystem.
FINOS chose Mend to manage the open source licenses and security vulnerabilities in their open source projects. With Mend, FINOS can create policies around license compliance, security vulnerabilities, and quality issues that are automatically enforced. This ensures that all committed code meets FINOS’s high standards of code quality.
“The ability to set and enforce strict policies is a top priority for the foundation and our security conscious community,” says Maurizio Pillitu, Director of DevOps at FINOS. “As a part of the deployment process for Mend’s platform, we were able to define which levels of threat severity were unacceptable before committing to the ODP.” He was also able to define the licenses that meet the specifications from his users’ legal teams.
Code that is not up to FINOS’s standards is blocked, and any attempt by a developer to commit vulnerable code results in the build being failed. “Our responsibility is to avoid — at any cost — the release of known vulnerabilities. Our wish is to spot issues as soon as possible in the development workflow, such as a build failure if Mend policies are violated,” says Pillitu, explaining that this is an important feature for their users to develop with confidence.
The ability to set and enforce strict policies is a top priority for the foundation and our security conscious community. As a part of the deployment process for Mend’s platform, we were able to define which levels of threat severity were unacceptable.
This extra security does not mean slowing down their workflow. In fact, using Mend speeds up the process. “Before moving to Mend, the contribution process included a code validation step prior to the final code transfer. Given the wide amount of languages and ecosystem, the process was manual and quite time consuming, especially with the quick growth of our project portfolio,” says Pillitu. With Mend, this process is automated, saving significant time for developers.
Mend automatically does all of the heavy lifting behind the scenes, never interfering with FINOS’s agile development process.
“The ODP should never be the bottleneck in our users’ development process,” says Pillitu on how the platform gives his team a greater degree of self governance to keep their focus on the development. “They should be self-sufficient. That’s why the product approver of Mend is the project leader itself.”
FINOS’s inclusion of Mend as the security solution for their platform is paying off. Pillitu says he is seeing significant buy-in from the financial industry. He points to their extensive list of platinum members and the growing number of organizations signing the Contributor License Agreement, which allows financial institutions to take part in the initiative.
“The Fintech Open Source Foundation collects license agreements from a wide variety of financial services and technology companies and therefore it is the place where this collaboration can happen,” says Pillitu. “It provides a safe, neutral environment to work together.”
Partnering with Mend has made it possible for FINOS to become the new hub for innovation in financial services, paving the way for faster, more efficient, and secure development.
Moreover, he states that he is seeing more members contributing their code to the ODP, which he takes as a sign of confidence from his user base.
Partnering with Mend has made it possible for FINOS to become the new hub for innovation in financial services, paving the way for faster, more efficient, and secure development.
Mend.io offers an enterprise suite of application security tools designed to help leading organizations build and manage mature AppSec programs, enabling them to stop chasing vulnerabilities and start proactively managing application risk.