October 14, 2021

The Open Source Security Foundation

Atte Lahtiranta, CTO, Goldman Sachs

Like most any modern enterprise, Goldman Sachs runs on open source software. This is one reason we recently launched our Open Source Program Office (OSPO). Our OSPO is working with the Goldman Sachs developer community to accelerate our rate of open source contributions, including pull requests of patches and new features, to projects on which we rely. We're also continuing to open source projects originated in our organization, such as our recent contributions of CatchIT and Legend to FINOS. The central role that open source plays in our software bills of material is also why we will continue to grow our financial support of open source projects both in the form of direct grants to maintainers as well as through open source foundations and consortia.

An example of a foundation we've chosen to support is the Open Source Security Foundation (OpenSSF). OpenSSF is part of the wider Linux Foundation family of initiatives. Yesterday the Linux Foundation and OpenSSF announced our participation in an overall cross-industry commitment of $10M to be used to further secure the open source software supply chain. The OpenSSF was created to help companies and organizations, from both the private and public sector, to respond to the imperative that is cybersecurity. The OpenSSF also represents a collective mobilization in response to the May 2021 White House Cybersecurity Executive Order call-to-action.

Cybersecurity is not something that can be done in silos. The OpenSSF will be an important forum where we can bring everyone together – including large corporations, startups, individual contributors, and maintainers - to share learnings and build improved tooling. Together, we will be able to:

  • Improve vulnerability detection in open source packages, "shifting left" detection to earlier in the process, and accelerating the distribution of patches to impacted users.
  • Create leading practices for controlling and managing the software supply chain, especially in regards to continuous integration and continuous deployment (CI/CD) and associated rapid iteration development methodologies.
  • Improve testing methodologies and frameworks.
  • Better train our teams -- secure software starts with the humans that build and use it.

Goldman Sachs is excited to work alongside the open source community on this critical initiative. To learn more and get involved, visit the OpenSSF GitHub.

See https://www.gs.com/disclaimer/global_email for important risk disclosures, conflicts of interest, and other terms and conditions relating to this blog and your reliance on information contained in it.