Mike Schwartz, Founder & CEO, Gluu
What is Free Open Source Software or “FOSS”, and why is it the best development methodology for Open Banking?The “open source” marketing label is a bit like “organic” — you need to dig deeper to understand what it really means. Some “organic” products may contain up to 30% non-organic ingredients! Thriving FOSS ecosystems share some common characteristics though: at a minimum, an open source license is fundamental — everyone in the ecosystem must have the right to modify and redistribute the code. Versioned packages are important as well–operations teams can’t compile source code and need easy-to-use binaries. And finally, freely available documentation and an active community are essential for productivity. When all cylinders are firing (code, packages, docs, and an active community), the FOSS development process results in a product which has the most features, the fewest bugs, the simplest user experience and the quickest updates. More eyes on the code, more contributors building features, and more trained engineers makes community the super-power for open source products.
Is open source safe for banks?There is no intrinsic security advantage for proprietary commercial software — hackers don’t need to see source code to find flaws. There is, however, a clear security benefit derived when many organisations pool their penetration testing results and share findings. An open source community leads to more discussion on the impact of announced security vulnerabilities and faster bug fixes. Community collaboration is the secret power of open source software, and is a “super-safe” choice!
What types of use cases is open source software best suited to address?Open source software works best for standards, security and infrastructure–areas where cooperation is more important than competition. Banks compete, but nobody wins if hackers get richer. Sharing know-how on software that implements security standards is a win-win for all legitimate players in an ecosystem.
What are the up-and-coming identity security standards that will impact Open Banking?The Internet is a layered fabric of standards. Routing data packets, browsing web pages, sending email, using mobile applications — none of this can happen without Internet standards working together. Important new standards for authentication, single sign-on (SSO) and consent management are proliferating even as older identity security standards are just gaining adoption. Even experts in the industry find it difficult to keep track of it all! Three standards organisations are developing identity standards that will have an important impact on Open Banking: the OpenID Foundation (OIDF), Kantara and the FIDO Alliance:
- Authentication: The FIDO Alliance is defining standards for hardware, mobile, and biometric authentication credentials
- Single Sign-On: OIDF is leading the Financial API (FAPI) working group, which is defining a profile of OpenID Connect that enables websites and mobile applications to securely use a bank’s authentication service.
- Authorisation: Kantara’s UMA standard will enable consumers to delegate access and permissions to people and electronic agents, and will help banks define inter-operable security policies with account information service providers and payment initiation service providers.