How banks can securely implement and deploy open source
- 30 Oct 2020
Poor deployment of open source software is leading to unnecessary data risks and operational costs.
It was in 1967 that we saw the first step towards banking automation, with the inaugural installation of an ATM in the UK. Five decades later, we welcomed the launch of open banking in the UK, which ironically reduced the reliance of those very same ATMs. With the dawn of 2018 came a new, revolutionary and secure way to enable financial providers to access financial information. Fans of open banking believed that consumers would be able to profit from access to their own data while its biggest critics worried about the implications for data safety.
In the past, banks would not even consider adopting open source software – and with traditional vendors like IBM and Oracle holding strong positions in the industry, the shift to open source has been glacial. However, recent years have seen banks undergoing digital transformation at all levels – introducing new technologies and methods such as open APIs and Cloud – as well as open source. The world of open source was something only revered by idealists and smaller startups or tech giants like Google, but now it is slowly being used on a broader scale.
A 2018 white paper created by the Fintech Open Source Foundation (FINOS) and its partners outlined the reasons why financial services should embrace and adopt open source, calling on the need to use it “more strategically, efficiently, and extensively than your competitors.” With digital disruption handled collectively by technology solutions that become “de facto industry standards,” financial services firms would only stay competitive through the “execution and differentiation in customer service.” In other words, banks had no choice but to ride the wave of open source – or risk drowning in a sea of nimble competition.
Banks stand to benefit from open source implementation. They can enjoy significantly reduced costs by bypassing annual software license fees to software vendors – with the added bonus of no vendor lock-in. There is also heavily reduced development time (and subsequently time-to-market) as developers can piece together existing software modules rather than having to build from a blank slate.
For this and many other reasons, developers are using open source packages and libraries more and more during the software lifecycle: an estimated 99 percent of current codebases use open source components, with up to 70 percent of enterprise code being open source.
Open banking in the UK is being encouraged to flourish by regulatory activity. In fact, there is no other country where regulators are adopting the same approach as what we have seen here. We’ve witnessed the Competition and Markets Authority (CMA) launch mandatory application program interface (API) specifications for payment initiation and customer account information. There was also mandated standardized formats and coding languages for APIs, as well as the supervision of third-party providers (TPPs) via a TPP register. This has been a huge boost to the fintech industry, and has heralded a new wave of bank and fintech partnerships and investments, as well as open banking products and services.
However – at the moment, the trend appears to be the following: banks will start using open source, but they don’t have the skills to code and customize securely, leaving many problems to occur from a security standpoint. Also, as with any form of software, open source is created by humans and therefore comes with bugs – according to one report, one in ten open source software downloads contain vulnerabilities with on average 38 known open source vulnerabilities in each application.
So how can banks deploy and manage open source more effectively and while reducing their exposure to risk?
One option is to adopt a managed services approach right from the start. As mentioned before, open source can be very cost effective – but only if the job is done right. In other words, large scale deployments require support from the very start of the process or there will be financial and operational repercussions that won’t benefit either financial institutions or their customers.
What is currently happening is most banks tend to only call in help when they stumble across big problems. This is counterproductive, more expensive to correct, and riskier to consumers – as there’s opportunities for cyber criminality to get through the system.
For example, from a security perspective – banks can work with vendors to ensure security patches are deployed on time. Both for machine learning use cases (deploying models that could be biased) as well as for security reasons: unpatched open source can have hidden costs that are not necessarily paid up front but later down the road with interest. It is estimated that 75 percent of commercial codebases come with open source security vulnerabilities.
While more than 85 percent of open source security vulnerabilities are disclosed and have a fix readily available, most companies are not set up to actually put them into practice. The rate of open source vulnerabilities being reported is also accelerating faster than most companies can keep up – in 2019, the number rose to more than 6000, which makes tracking newly revealed vulnerabilities along with their patches practically impossible to implement manually.
Calling in a firm right from the start can help alleviate some of those burdens. It can also help with the design of the implementation, such as analyzing which tools are going to be the most helpful. While there are certain technologies like Python, Spark and Cassandra that have been gaining a lot of traction, it is important to research where banks will get the best long-term value.
There is also the issue of data storage issues, which have taken up more of the spotlight this year. During lockdown, banks have been nudged towards rapidly upgrading their digital services and maximizing their data storage capabilities through cloud-based technologies. The use of Kubernetes and containers enabled software development teams to quickly create and deploy cloud solutions – and this has revolutionized the online experience for customers, where mobile has replaced the act of standing in a branch face-to-face with a teller.
Another option is to maximize the resources offered by organizations such as the Open Bank Project, which empowers financial institutions of all sizes to securely and rapidly enhance their digital offerings – through leveraging a collection of pre-built banking APIs as well as a global ecosystem of third party applications and services.
by Adam Gibson