Open Source in Finance Forum London 2025

Ensuring licensing compliance with SBOMs isn’t just about identifying declared licenses: it requires verifying the integrity of the listed components. Without validation through identity assertions and cryptographic hashes, SBOM license data can be incomplete, misleading, or outright incorrect. This session explores how to enhance trust in SBOM-driven compliance by integrating integrity checks, ensuring the software components match their declared identities. Attendees will gain insights into best practices for verifying SBOM data, mitigating legal and security risks, and improving compliance workflows. Join me to learn why an SBOM without integrity verification is meaningless—and how to fix it.

Financial institutions increasingly rely on open source software - but vulnerabilities and risk clusters such as Log4j, the XZ Utils backdoor, and the recent 500% YoY spike in malicious Open Source packages reveal that OSS dependencies import dramatic risk to enterprises. New regulations like NIS2 and the Cyber Resilience Act mandate a clear understanding and inventory of Open Source components and their risks, making up to 98% of overall system code. Despite millions invested in cybersecurity tools, financial institutions struggle to understand, measure and mitigate their open source risk exposure, leaving them vulnerable and uncertain about ROI to invest in Open Source. OSPOs, often are just small teams, and grapple manually with vast, complex OSS landscapes - creating blind spots in audits, compliance, and regulatory readiness. Using AI for Open Source Security Economics changes this. Open Source as a Balance Sheet empowers OSPOs, cybersecurity, and financial leaders to turn open source from an unknown liability into quantifiable, strategic financial assets.

What can we consider truly “secure”? Most cybersecurity professionals would agree: nothing. While this may be true, threat modelling helps regulated organisations, such as FSIs, design, build, and operate cloud native systems within acceptable security and operational risk tolerances. This works for known threats, but how do we address the "unknown"?
Are there countermeasures? Possibly! ControlPlane has partnered with King’s College to find out. We start from Kubernetes, the platform most used by global FSIs to run containers at scale. We aim to use rigorous mathematical techniques to explore all states of insecurity for a given configuration and enumerate unknown attack paths.
In this talk, we will: Highlight the limits of traditional threat modelling in providing security guarantees, Explain how formal methods can verify cloud native systems and deliver provable security guarantees, Guide the audience through assessing unknown threats and show how standards like FINOS Common Cloud Controls mitigate both known and unknown threats. A PhD in Mathematics is NOT required. We’ll explain formal verification in an accessible way, using real-world examples from regulated FSIs.

Maximizing performance is often a competitive advantage in financial applications, and for four decades, the leading language for high-performance software has been C++. However, in recent years concerns about the risk of software vulnerabilities related to memory safety and the rise of Rust, a memory-safe language which offers performance comparable to C++, have led industry-leading companies and major governments to urge for a transition away from memory-unsafe languages. The sheer volume of existing C++ code and the value it represents makes rewriting it all infeasible on a timescale less than several decades, so large C++ codebases need to invest in high-performance interoperability to mitigate risk and potentially to comply with upcoming regulatory mandates. This talk will outline the current state of this strategy and the potential for innovation which can bring greater safety to performance-critical applications within finance and beyond.

eBPF is a technology that allows dynamic, bespoke programs to change the way the kernel behaves. This talk introduces eBPF and shows how the Tetragon open source project applies it to provide powerful runtime security capabilities that can detect and even prevent malicious activities such as suspicious file access, network connections, and privilege escalation, with very low overhead. In the financial sector, security is paramount, and this talk will explore the likely evolution for standardized security tooling based on eBPF and Tetragon.

This joint session from GitLab and ControlPlane explores how financial institutions can leverage GitOps and modern CI/CD pipelines to overcome regulatory roadblocks without sacrificing speed or security. The presenters will demonstrate practical approaches to securing the software supply chain in highly regulated environments, focusing on build integrity, artifact verification, and policy-driven deployments. Through real-world financial services case studies, they'll showcase how automation can transform compliance from a bottleneck into a competitive advantage. Attendees will learn proven techniques for implementing security-by-design across the software lifecycle, generating comprehensive SBOMs, and creating auditable deployments that satisfy regulatory requirements. The session bridges technical and business perspectives, illustrating how secure CI/CD practices enable financial organizations to accelerate innovation while maintaining strict compliance. Discover how open source tools with enterprise capabilities create transparent, collaborative workflows that empower both development teams and compliance stakeholders.