Why FINOS Is the Ideal Home

The Financial Services Open Source Foundation (FINOS) provides the perfect environment for this collaborative effort. With proven successes like the Common Cloud Controls project and the AI Governance Framework already under its belt, FINOS has demonstrated its ability to unite financial institutions around shared technical challenges. The strong interest from FINOS members in SDLC standardization makes this a natural next step in the foundation's evolution.

The Challenge: Making up Governance

Every regulated financial institution faces the same fundamental challenge: implementing robust SDLC controls to manage risk while maintaining development velocity. These controls typically include:

• Code review processes
• Security vulnerability scanning
• Change approval workflows
• Audit trail requirements
• Deployment gates and checkpoints

While essential for risk management, each control is redefined in every institution.

The Current State: Three Critical Flaws

Today's SDLC frameworks suffer from three fundamental issues:

1. Vague Requirements
Controls are often written to cover vast, heterogeneous IT landscapes. The result is guidelines that are either too generic to be actionable or so specific they apply to only narrow use cases.

2. Baseless Standards
Without industry-wide benchmarks or shared rationales, it's difficult to justify controls internally to development teams or externally to auditors and regulators.

3. Subjective Implementation
The lack of structured frameworks means controls resist automation, standardization, and systematic improvement. What works for one team may be interpreted or evaluated completely differently by another.

The Vision: A Catalog of Common Controls

The working group envisions a future where SDLC controls are:

Specific and Actionable

• Clear guidance with real-world examples
• Practical implementation patterns
• Measurable success and failure criteria

Canonical and Composable

• Industry-standard vocabulary
• Modular controls that can be mixed and matched
• Shared across institutions to reduce duplication

Objective and Testable

• Automated verification capabilities
• Clear audit criteria
• Consistent inspection standards

Join the Group

This initiative needs diverse perspectives to succeed. The working group will convene during the regular SDLC Governance Framework Working Group Meeting - Dev Ops Automation meetings, and your participation is important. Use this link to add the call to your calendar!

How You Can Contribute:

• Share your organization's SDLC challenges and successes
• Provide feedback on proposed control frameworks
• Help test and validate controls towards regulatory standards
• Connect relevant stakeholders from your organization

If you know someone in your organization who should be involved—whether from development, security, compliance, or risk management—please connect them with this project.  You can learn more in these github issues:

• Proposal: Software Development Lifecycle Common Controls Catalogue Framework #261
• Final call closing the Automated Change Deployment WG and starting the SDLC WG

Next Steps

The working group is actively forming and beginning to outline its charter. Early participants will have the opportunity to shape the direction of this critical industry initiative from the ground up.

For more information or to join the working group, contact the FINOS SDLC Governance Working Group mailing list or add the bi-weekly call to your calendar.

Author: Mike Long, Kosli, CEO