FIGURE 11 IN THEIR WORDS Organizational confidence in the open Financial services leaders on security source components they consume How confident are you that the open source components you “ Cybersecurity and supply chain are now top of mind in a use are maintained and up-to-date? (select one) segmented way they weren’t 20 years ago. Particularly as a regulated by: Which of the following most closely describes your role? entity, we have to be sure that we are secure.”15 33% “ We have tight inbound controls for open source Extremely confident 28% 38% consumption. We also focus on controls for software that is in production, which is vital for any organization with a 36% Somewhat confident 16 38% large legacy estate.” 35% “ We have had an increased involvement in OpenSSF, 20% Not very confident 24% attending meetings and helping to guide that project. It's 15% better for the world. It's for the greater good.”17 7% Not at all confident 9% “ In the first few hours of the Log4J, the vulnerability was 4% reported by someone from a major company, basically Total 5% saying, let us know when it's fixed. I would love to think I Don't know or not sure 1% Technical 8% Non-Technical could have been asking, ‘How can I help with this?’ rather than just ‘Tell me when it's fixed.’”18 2022 FINOS STATE OF OSS IN FINANCIAL SERVICES SURVEY, Q14 X Q9, SAMPLE SIZE = 210 WHERE IS OPEN SOURCE USED? Open source consumption is occurring on a massive scale. According to Elspeth Minty, Managing Director at RBC supply chain issues, and the overall maintenance challenge Capital Markets, “Open source is used in some form in around of open source software. As a result, organizations, such as 90% of systems. If you include tooling around compilers and OpenSSF, are growing in membership and creating concrete 19 runtime and builds and deployment, it’s 100%.” Another plans to tackle these challenges. NatWest’s Haggarty states, leader who we spoke to detected around 35,000 different “Log4j will result in a sea change. People will think twice open source components, with 128,000 versions of those 14 about what this means—it is starting to knock confidence.” components. THE 2022 STATE OF OPEN SOURCE IN FINANCIAL SERVICES 20