Why OpenSSF at OSFF
Open source is everywhere in financial services. A recent survey showed that 85 percent of firms in the sector are increasing their use of open source, with nearly 60 percent saying it is a significant increase (FINOS). Teams choose it because it reduces costs, speeds delivery, and helps attract talent (Linux Foundation).
With more use comes more risk. Security, compliance, and resilience need to be part of the conversation. That is why OpenSSF is sponsoring OSFF. Our members include leading financial institutions like Capital One, JP Morgan Chase, and Morgan Stanley, technology providers serving financial services, policymakers shaping regulation, and open source maintainers who build and support the software relied upon by these institutions. Bringing all of those voices together is how practical solutions get built.
All About That Base[line]: Charting a Path for Secure Open Source Projects
The Open Source Project Security (OSPS) Baseline is a set of practical security practices that align with standards like NIST and the EU Cyber Resilience Act (CRA). It gives financial institutions a clear, auditable checklist they can use to reduce risk and support their compliance.
At OSFF, Stephen Augustus (Bloomberg) and Michael Lieberman (Kusari) will show how the Baseline works with real examples and demos.
Communications Very Erratic (CVE) – Stabilizing vulnerability data for downstream
In April 2025, MITRE announced that funding for the CVE and CWE programs had been eliminated, putting NIST’s NVD program at risk as well. CISA stepped in to cover costs for nine months, but no updates or improvements have been made since. Enterprises, regulators, and maintainers are left without direction, and the downstream impact is real.
My talk, “Communications Very Erratic (CVE) – Stabilizing vulnerability data for downstream”, will cover the history behind the problem and how the open source community is working to stabilize vulnerability metadata. The goal is to give developers and financial institutions consistent, high-quality information they can rely upon to manage risk and meet obligations.
Securing the Future of Open Source AI: A Holistic Approach
AI adoption in financial services is accelerating. Jamie Thomas (IBM) will present OpenSSF’s AI security roadmap. This talk will connect lessons from the history of open source security to today’s AI landscape and introduce a multi-pronged approach that includes research, tooling, policy, and education.
Why Finance Leaders Should Pay Attention
- The OSPS Baseline gives you a framework you can actually use.
- The CVE session highlights how the community is working to restore stability to the data financial institutions need.
- The AI security roadmap helps you adopt new technologies with confidence.
- The Cybersecurity Skills Framework from OpenSSF and The Linux Foundation Education will give your teams the ability to deliver securely.
Join Us at OSFF
The OpenSSF community is proud to sponsor the Open Source in Finance Forum with FINOS.
Our community is made up of good friends across industries who bring their knowledge and energy to solving these problems. Join us at OSFF to hear the talks, ask questions, and take part in strengthening open source security for financial services.
Author: Christopher “CRob” Robinson, Chief Security Architect, OpenSSF
Christopher Robinson (aka CRob) is the Chief Security Architect for the Open Source Software Foundation (OpenSSF). With over 25 years of experience in engineering and leadership, he has worked with Fortune 500 companies in industries like finance, healthcare, and manufacturing, and spent six years as Program Architect for Red Hat’s Product Security team.