Skip to content

Search the site

Why banks need to sink their teeth (safely) into open source

Devs are are using more open source packages than ever, but...

Open source software is finally getting the attention it deserves by financial institutions. But with mounting pressure to address the critical issues around security and data breaches, banks have to be vigilant about deployment.

Adam Gibson Founder of Konduit and CTO of Skymind, creator of the widely used OSS project deeplearning4j (a deep-learning library written for Java and Scala), explains how banks can minimise the risk and operational cost around open source while creating a competitive ecosystem for customers.

Banks took a while to embrace open source - and for very good reasons.

Data breaches, security risks and a loss of overall control were - and still are - valid concerns - and for years the sector subsequently ignored the benefits that open source could have on the global financial system and the customers it served.  Times have now changed, and as open source takes on a dominant role in the IT sector we are also witnessing a shift towards acceptance among banks that has been driven by several factors.

First is the response from global tech giants. While financial institutions spent years dragging their heels about open source, Silicon Valley took a risk and embraced it with open arms,  believing it was the development model of the future  and which could transform their business offerings to something even more colossal in size and scale.

So committed was the tech world to open source that the biggest industry players started buying up the biggest names in the open source sector at eye watering prices. Some of the most memorable investments on record include Microsoft’s purchase of  GitHub for $7.5 billion in 2018, and 2019's acquisition of Red Hat by Microsoft for $34 billion. The coding world quickly followed suit, with developers loving the freedom it brought and opportunity to work as a global community.  Developers are now using more open source packages during the software life cycle than ever before: an estimated 99% of current codebases use open source components, with up to 70% of enterprise code being open source.  This is code being applied for the creation of everything from banking apps to mobile video games and IOT devices.

Open source and the future of banking: execution and differentiation in customer service increasingly mean flourish or fall

A second reason for the finance sector’s growing acceptance is a response to competition. Over the past few years, banking has been forced to undergo a digital transformation at all levels, spurred on by developments in the fintech movement and the rising popularity of digital players such as Monzo and Starling Bank (both heavy open source users) - not to mention consumer demand for mobile services.

According to a 2018 white paper by the Fintech Open Source Foundation (FINOS) banks were advised to deploy open source “more strategically, efficiently, and extensively” and that financial services firms would only stay competitive through the “execution and differentiation in customer service.” In other words, banks had no choice but to ride the wave of open source - or risk drowning in a sea of nimble competition.

A third explanation is legislation. Forced by governments to accept open banking, financial firms began to adopt  new technologies and methods such as open APIs and Cloud. The logical progression of this movement was to harness the power of open source, which can unlock the benefits of open banking. Without it there can be no progress forward.

Two years since the legislation came into effect, open banking adoption among  financial services providers remains sclerotic at best.  A major reason for this is a technical one - and not one of resistance.

For open banking to work, many different systems must be able to communicate and exchange data with one another. This is a significant IT challenge, especially for traditional banks that rely on legacy systems that were built years ago and weren’t designed to support the demands of an open banking model. Shifting to open source can address these challenges head on, offering a flexible and scalable solution that is always on and is the main artery for the most interesting technological advancements happening today. With this knowledge at hand, banks are realising they have to act or risk losing market share - and the quicker they start using the open source, the fast they will reap the benefits of its implementation.

These include a reduction in cost by bypassing annual software licence fees to software vendors - as well as the added bonus of no vendor lock-in. There is also the major reduction in development time (and subsequently time-to-market) as developers can piece together existing software modules rather than having to build from a blank slate.

Before banks start using open source, however, they have to accept that they most don’t  have the skills to code and customise securely, leaving many problems to occur from a security standpoint. Also, as with any form of software, open source is created by humans and therefore comes with bugs - according to one report, one in ten open source software downloads contain vulnerabilities with on average 38 known open source vulnerabilities in each application.

So how can banks deploy and manage open source more effectively and while reducing their exposure to risk?

The best option is to adopt a managed services approach right from the start. At the moment we are witnessing more and more banks calling in for help when they’ve stumbled across big problems. The delay in reaching out  becomes counterproductive as it takes longer to correct the problems they’ve created and costs the banks more. It also becomes riskier to consumers, creating opportunities for cyber criminality to hack through the system.

To avoid any cyber vulnerabilities,  banks should also work with vendors to ensure security patches are deployed on time to safeguard machine learning use cases as well as for security reasons. Otherwise, they risk burning a hole in ther pockets in the long run.

Unpatched open source can have hidden costs that are not necessarily paid up front but later down the road with interest. It is estimated that 75% of commercial codebases come with open source security vulnerabilities.

While more than 85% of open source security vulnerabilities are disclosed and have a fix readily available, most companies are not set up to actually put them into practice. The rate of open source vulnerabilities being reported is also accelerating faster than most companies can keep up - in 2019, the number rose to more than 6000, which makes tracking newly revealed vulnerabilities along with their patches practically impossible to implement manually. Calling in a firm right from the start can address a few of these burdens, while also helping with the design of the implementation.

There is also the issue of data storage issues. During lockdown, banks have been forced to upgrade their digital services and maximise their data storage capabilities through cloud-based technologies. Their use of Kubernetes and containers enabled software development teams has helped to quickly create and deploy cloud solutions - and this has revolutionised the online experience for customers, where mobile has replaced the act of standing in a branch face-to-face with a teller.

But making sure this is safe and secure can only be confirmed with support from experts that can identify and errors in implementation that could be felt further down the line.

For banks that choose not to take on a managed service approach, they can read up on open source and make use of the free resources offered by organisations such as the Open Bank Project, which empowers financial institutions of all sizes to securely and rapidly enhance their digital offerings - through leveraging a collection of pre-built banking APIs as well as a global ecosystem of third party applications and services.

While open source deployment picks up pace in the banking industry, let’s not forget that security was one of the main reasons why the sector was initially worried about adopting it. Now with more banks embracing the open source movement, let’s hope they do what’s best for them - and get the support they need from the start.  Only through effective deployment can bank reap the benefits that open source can bring to their organisations and the customers they’re meant to service.

Read this: US gov’t, CrowdStrike push out free Azure security tools, after SUNBURST abuse