October 14, 2021

The Open Source Security Foundation

Atte Lahtiranta, CTO, Goldman Sachs

Like most any modern enterprise, Goldman Sachs runs on open source software. This is one reason we recently launched our Open Source Program Office (OSPO). Our OSPO is working with the Goldman Sachs developer community to accelerate our rate of open source contributions, including pull requests of patches and new features, to projects on which we rely. We're also continuing to open source projects originated in our organization, such as our recent contributions of CatchIT and Legend to FINOS. The central role that open source plays in our software bills of material is also why we will continue to grow our financial support of open source projects both in the form of direct grants to maintainers as well as through open source foundations and consortia.

An example of a foundation we've chosen to support is the Open Source Security Foundation (OpenSSF). OpenSSF is part of the wider Linux Foundation family of initiatives. Yesterday the Linux Foundation and OpenSSF announced our participation in an overall cross-industry commitment of $10M to be used to further secure the open source software supply chain. The OpenSSF was created to help companies and organizations, from both the private and public sector, to respond to the imperative that is cybersecurity. The OpenSSF also represents a collective mobilization in response to the May 2021 White House Cybersecurity Executive Order call-to-action.

Cybersecurity is not something that can be done in silos. The OpenSSF will be an important forum where we can bring everyone together – including large corporations, startups, individual contributors, and maintainers - to share learnings and build improved tooling. Together, we will be able to:

  • Improve vulnerability detection in open source packages, "shifting left" detection to earlier in the process, and accelerating the distribution of patches to impacted users.
  • Create leading practices for controlling and managing the software supply chain, especially in regards to continuous integration and continuous deployment (CI/CD) and associated rapid iteration development methodologies.
  • Improve testing methodologies and frameworks.
  • Better train our teams -- secure software starts with the humans that build and use it.

Goldman Sachs is excited to work alongside the open source community on this critical initiative. To learn more and get involved, visit the OpenSSF GitHub.


See https://www.gs.com/disclaimer/global_email for important risk disclosures, conflicts of interest, and other terms and conditions relating to this blog and your reliance on information contained in it.

This site is for informational purposes only and does not constitute an offer to sell, or the solicitation of an offer to buy, any security. The Goldman Sachs Marquee® platform is for institutional and professional clients only. Some of the services and products described on this site may not be available in certain jurisdictions or to certain types of client. Please contact your Goldman Sachs sales representative with any questions. Nothing on this site constitutes an offer, or an invitation to make an offer from Goldman Sachs to purchase or sell a product. This site is given for purely indicative purposes and does not create any contractual relationship between you and Goldman Sachs. Any market information contained on the site (including but not limited to pricing levels) is based on data available to Goldman Sachs at a given moment and may change from time to time. There is no representation that any transaction can or could have been effected on such terms or at such prices. Please see https://www.goldmansachs.com/disclaimer/sec-div-disclaimers-for-electronic-comms.html for additional information. © 2023 Goldman Sachs. All rights reserved.
Transaction Banking services are offered by Goldman Sachs Bank USA (“GS Bank”). GS Bank is a New York State chartered bank, a member of the Federal Reserve System and a Member FDIC. © 2023 Goldman Sachs. All rights reserved.
Not all products and functionality mentioned on this website are currently available through our API platform.
All loans and deposit products are provided by Goldman Sachs Bank USA, Salt Lake City Branch. Member FDIC.
Brokerage and investment advisory services offered by our investment products are provided by Goldman Sachs & Co. LLC (`‘GS&CO.`’), which is an SEC registered broker-dealer and investment adviser, and member FINRA/SIPC. Research our firm at FINRA's BrokerCheck. Custody and clearing services are provided by Apex Clearing Corporation, a registered broker-dealer and member FINRA/SIPC. Please consider your objectives before investing. A diversified portfolio does not ensure a profit or protect against a loss. Past performance does not guarantee future results. Investment outcomes and projections are forward-looking statements and hypothetical in nature. Neither this website nor any of its contents shall constitute an offer, solicitation, or advice to buy or sell securities in any jurisdictions where GS&Co. is not registered. Any information provided prior to opening an investment account is on the basis that it will not constitute investment advice and that GS&Co. is not a fiduciary to any person by reason of providing such information. For more information about our investment offerings, visit our Full Disclosures.
Investment products are: NOT FDIC INSURED ∙ NOT A DEPOSIT OR OTHER OBLIGATION OF, OR GUARANTEED BY, GOLDMAN SACHS BANK USA ∙ SUBJECT TO INVESTMENT RISKS, INCLUDING POSSIBLE LOSS OF THE PRINCIPAL AMOUNT INVESTED