Open Source in Finance Forum London 2025

What can we consider truly “secure”? Most cybersecurity professionals would agree: nothing. While this may be true, threat modelling helps regulated organisations, such as FSIs, design, build, and operate cloud native systems within acceptable security and operational risk tolerances. This works for known threats, but how do we address the "unknown"?
Are there countermeasures? Possibly! ControlPlane has partnered with King’s College to find out. We start from Kubernetes, the platform most used by global FSIs to run containers at scale. We aim to use rigorous mathematical techniques to explore all states of insecurity for a given configuration and enumerate unknown attack paths.
In this talk, we will: Highlight the limits of traditional threat modelling in providing security guarantees, Explain how formal methods can verify cloud native systems and deliver provable security guarantees, Guide the audience through assessing unknown threats and show how standards like FINOS Common Cloud Controls mitigate both known and unknown threats. A PhD in Mathematics is NOT required. We’ll explain formal verification in an accessible way, using real-world examples from regulated FSIs.