NatWest Group Hosted - FINOS DevOps SIG - Open Source Supply Chain Security Roundtable

[mcleo-d]

NatWest Group is running an Open Source Supply Chain Security “FINOS Members + Limited Guests, Chatham House Rule” roundtable, to celebrate OSFF London, on behalf of the FINOS DevOps Automation SIG.

• Tuesday 25th June at 9:30am BST / 2pm IST - Fully Hybrid over Zoom

The roundtable is fully virtual, with 10 places available at NatWest, London for those wanting to join us in the room (registration in the comments below).

During the meeting we should explore [WIP please feedback in the comments]

1. Aligning the RT to the DevOps Automation “Open Source Supply Chain Security” Working Group.
2. Safe ingress of Open Source materials / dependencies into a banking engineering scenario.
3. Safe storage and continuous monitoring of internal Open Source registries and Route to Live.
4. Automation tools on repos and IDEs (DevSecOps + shift left).
5. OpenSSF and FS-ISAC training, alignment and standardisation.

We look forward to celebrating OSFF London with you, on behalf of NatWest Group!

James.

Roundtable Minutes

Attendees

• There were 14 attendees from FINOS Banks, Tech Firms and Consultancies.
• There was an open source guest from outside the FINOS membership.

Agenda

• Introduction and agenda overview
• FINOS Open Source Supply Chain Security Initiative
• Feedback and consensus on strategic direction
• Discussions on critical dependencies and security posture
• Open source readiness and DevSecOps alignment
• Introduction of additional participants
• Developer-centric SaaS and shift-left strategies
• Summary and next steps

Meeting Notes

• Introduction
  • Overview of the agenda and purpose of the meeting.
  • Acknowledgment of participants and their roles.
• Open Source Supply Chain Security Initiative
  • Aim to collaborate on security posture of critical dependencies.
  • Discussion around Sonatype’s role in identifying critical dependencies.
  • Proposal for funding and engagement with open source projects.
• Feedback and Consensus
  • General agreement on the need for FINOS strategic initiative.
  • Concerns around funding, collaboration with other foundations.
  • Importance of having clear objectives and commitments from participants.
• Critical Dependencies
  • Need for a data-driven approach to identify and rank dependencies.
  • Suggestions to involve JFrog and GitHub for better data aggregation.
  • Discussion on potential metrics and scoring for open source projects.
• Open Source Readiness and DevSecOps
  • Emphasis on integrating security into DevSecOps pipelines.
  • Need for clear maturity models and best practices to guide organizations in improving their security posture..
  • Agreement on the importance of automation in security to ensure continuous monitoring and compliance.
  • Ensure developers have the right tools to maintain code quality and security.
• GitLab and Internal Registry Scanning
  • Enhance GitLab integration for security scanning.
  • Implement comprehensive scanning for internal registries to detect vulnerabilities and licensing issues.
• Additional Participants and Perspectives
  • Introduction of new participants and their roles.
  • Discussion on the role of FINOS banks in prioritising product backlogs.
  • Collaborate with other foundations like OpenSSF and Alpha-Omega to avoid overlap and leverage existing efforts.
• Developer-Centric SaaS and Shift-Left Strategies
  • Presentation on the use of Semgrep in IDEs and CI/CD.
  • Emphasis on real-time feedback and code augmentation.
  • Concerns around the over-reliance on automation and suggestions.
• SBOM Importance
  • The group emphasized the importance of SBOMs in improving the security posture of projects.
  • There was a suggestion to host SBOMs and help propagate them, ensuring that they are part of the security metadata.
  • It was discussed that projects should be producing their own SBOMs, and there might be funding to support this activity.
  • The need for standard formats and versions for SBOMs was highlighted to ensure consistency and completeness.
  • The potential for tools to automatically produce SBOMs was mentioned, reducing the burden on maintainers.
• Security Posture Metrics
  • Discussion on various metrics for assessing security posture, including the use of scorecards and best practices from OpenSSF
• Summary and Next Steps
  • Agreement to present the proposal to the FINOS Board.
  • Recognised need for more participants in the working group.
  • Plan to follow up with JFrog and GitHub for further discussions.

Group Actions

• Present the proposal to the FINOS Board.
• Explore opportunities for contributing funding or sweat equity to critical open source projects.
• Engage with Sonatype, GitHub, GitLab and JFrog for data-driven approaches.
• Coordinate with DevOps Automation to support the working group.
• Explore involving more partners in future meetings.
• Set up a follow-up session to demonstrate developer-centric SaaS tools.
• Identify potential champions within their organisations for the working group.
• Provide feedback and suggestions for the strategic initiative.

[msagi]

+1 happy to join, in the room! 🚀

[aaronsearle]

+1 Would also be happy to join the room.

[mcleo-d]

+1 Would also be happy to join the room.

Thanks @aaronsearle - I have messaged you over LinkedIn for details.

[techno-wizardry]

+1 I'm a bit late to this, but if there is still availability, I'd love to come along.