FinTech For Dummies book cover

FinTech For Dummies

Steven O'Hanlon ,
Susanne Chishti ,
James Jockle ,
Dawn Patrick ,
Published: September 1, 2020


Examine the depth and breadth of financial technology

This comprehensive, hands-on guide is the go-to source for everything you need to confidently navigate the ever-changing scene of this booming industry. FinTech For Dummies will shed light on this rapidly changing landscape making it an invaluable source of information for anybody working in or interested in this space. This book provides insights, knowledge and guidance from industry experts Steve O’Hanlon and Susanne Chishti on the following:

  • Gaining insight fastest growing market segment of the financial markets
  • Learning the core decision making to effect a growth plan
  • Securing knowledge of the fastest growing fintech companies in the world
  • Navigating the fintech world
  • The ingredients into building a FinTech company

Examine the depth and breadth of financial technology

This comprehensive, hands-on guide is the go-to source for everything you need to confidently navigate the ever-changing scene of this booming industry. FinTech For Dummies will shed light on this rapidly changing landscape making it an invaluable source of information for anybody working in or interested in this space. This book provides insights, knowledge

and guidance from industry experts Steve O’Hanlon and Susanne Chishti on the following:

  • Gaining insight fastest growing market segment of the financial markets
  • Learning the core decision making to effect a growth plan
  • Securing knowledge of the fastest growing fintech companies in the world
  • Navigating the fintech world
  • The ingredients into building a FinTech company
FinTech For Dummies Cheat Sheet

What is Fintech? A FinTech company is any company that provides financial services, software, or technology to individuals, companies, governments, or financial institutions. If you’re interested in finding out more about FinTech, it helps to know a few basic definitions, understand the benefits of working with a FinTech provider, and get a handle on core technologies. [caption id="attachment_272563" align="alignnone" width="556"] © Wright Studio/[/caption]

Articles From The Book

10 results

Operations Articles

Industry Sectors FinTech Is Disrupting and Improving

In this article, we look at some business types in more detail to see how traditional financial firms are being shaken up — and improved — by FinTech disruptions. What is FinTech? FinTech is an overarching term for the combination of finance and technology. However, within FinTech, many subcategories apply to specific sectors of the financial world. Here’s a quick summary of them:

  • Capital Markets Tech, in which companies leverage newer technology such as artificial intelligence, machine learning, and blockchain, is led by seasoned capital markets veterans and is both collaborating with and disrupting the financial services incumbents.
  • WealthTech unites wealth and technology to provide digital tools for personal and professional wealth management and investing. This sector includes brokerage platforms, automated/semiautomated robo-advisors, and self-directed investment tools for individual investors and advisors to navigate the changing landscape in wealth management. For more information, check out The WealthTech Book, edited by Susanne Chishti and Thomas Puschmann (published by Wiley).
  • InsurTech is a combination of insurance and technology. It refers to innovations that generate efficiency and cost savings from the existing insurance industry model. For more information, see The InsurTech Book, edited by Sabine L. B. VanderLinden, Shân M. Millie, Nicole Anderson, and Susanne Chishti (published by Wiley).
  • RegTech is a community of technology companies that solve regulatory challenges through automation. The increase in major regulatory policy and the rise in digital products have made it imperative for companies to check for and implement compliance issues, and this can be difficult with old, manual processes. For more information, refer to The RegTech Book, edited by Janos Barberis, Douglas W. Arner, and Ross P. Buckley (published by Wiley).
  • PayTech refers to the combination of payments and technology. Innovative payment services now form part of the PayTech ecosystem and have dominated the early days of the FinTech revolution through mobile, cross-border, peer-to-peer, and cryptocurrency payments. Financial institutions have had to digitize their current offerings to create new channels linked to a digital platform. For more information, see The PayTech Book, edited by Susanne Chishti, Tony Craddock, Robert Courtneidge, and Markos Zachariadis (published by Wiley).
  • AI in Finance refers to how artificial intelligence, machine learning, and deep learning are applied across financial services companies today and how they could be used in the future. For more information, see The AI Book, edited by Ivana Bartoletti, Susanne Chishti, Anne Leslie, and Shân M. Millie (published by Wiley).
  • LegalTech combines the nature of legal technologies and their relationship with data, the Internet of Things (IOT), cybersecurity, and distributed ledger technologies as well as ethical considerations of the technological advancement. For more information, refer to The LegalTech Book, edited by Sophia Adams Bhatti, Susanne Chishti, Akber Datoo, and Drago Indjic (published by Wiley).


Some larger financial institutions have adopted the phrase “We’re just a technology company that happens to have a banking license.” This is mostly a marketing gimmick, although it’s perhaps partially true for some of the new challenger banks that are attempting to disrupt the incumbent banks. However, with customer acquisition costs high and increasing regulatory hurdles to surmount, new challenger banks need to decide whether they will build their technology stack themselves or work with FinTech partners to develop the innovation required to topple the incumbents.

The financial institutions that are effectively managing this move to become FinTech companies are those that understand how to move quickly to deliver what the consumer needs in an industry on the verge of further change. Most of those who succeed have taken a hybrid approach, focusing on partnerships, acquisitions, and internal initiatives.

Several incumbent banks are known to be developing new digital-first products in a bid to keep the new wave of challenger banks and providers in the background; an example is Bo from the Royal Bank of Scotland. They are also gradually adopting much more ambitious cloud-based platforms (despite their paranoia about their data being hacked) on which they can offer or launch numerous products. These initiatives are being supported by the likes of Amazon, Google, and Microsoft, which provide cloud hosting services and enable banks to develop core banking Software-as-a-Service (SaaS) platforms with the required encryption security.

Asset management

Traditionally, serious investors have valued personal investment advice from human experts, and they haven’t minded paying for it. However, the asset management industry has been attacked from two different angles:
  • One of these is the march toward passive investments (such as exchange traded funds, or ETFs) over active asset management. ETFs are traded like stocks where the holdings track to some well-known index, such as the Standard & Poor’s (S&P) 500.
  • The other is the rise in popularity of robo-advisors, which use ETFs as a strong part of their strategy. A robo-advisor is an investment selection tool that uses algorithms and machine learning to offer investment advice and management to users.
The trend toward passive asset management has been apparent for some time in the retail/business-to-consumer (B2C) space, but we’re lately also seeing it with the larger business-to-business (B2B) investors as the stock market index returns continue to rise and they are looking to cut costs to further enhance returns for their clients.

WealthTech firms are enabling investors to self-manage their portfolios by offering users technology-enabled tools to help make investing decisions. These tools can include full-service brokerage alternatives, automated and semiautomated robo-advisors, self-service investment platforms, asset class specific marketplaces, and portfolio management tools for both individual investors and advisors. They consider not only investment opportunities but also factors such as a user’s goals, income, marital status, and risk aversion to differentiate on their offering. They enable those who can’t afford a traditional financial advisor to have similar — if not more informed — advice at a lower cost.


If the banking and asset management firms think they have it tough with the rise of FinTech firms, there are many that believe that the insurance industry is even more prone to disruption — and innovation. InsurTech firms initially started to explore offerings that large insurance firms had little incentive to pursue. For example, they offered customers the ability to customize their policies, and they used internet-enabled devices to collect information about behavior (such as driving habits) that could be used to dynamically price insurance premiums. Traditionally, the insurance market has worked with relatively basic levels of data to group respective policyholders together to generate a diversified portfolio of people. However, InsurTech firms are tackling their data and analysis issues by taking inputs from various devices, including GPS tracking of cars and activity trackers on wearables so that they can monitor more defined risk grouping and therefore allow certain products to be more competitively priced. In addition to better pricing models, InsurTech firms are using highly trained artificial intelligence (AI) to help brokers find the right mix of policies to complete an individual’s insurance coverage and credit score. In some cases, they can replace brokers entirely, further disintermediating the process (and saving costs). Apps are also being developed that can combine contrasting policies into one platform for management and monitoring. Some of the benefits of that might include enabling customers to purchase on-demand policies for micro-events and enabling groups of individual policyholders to become part of a customized group that is eligible for rebates or discounts.

Insurance is also a highly regulated industry. Major brokers and underwriters have survived by being both prudent and risk averse. They are therefore suspicious of working with InsurTech start-ups, particularly those that want to disrupt their stable industry. Many InsurTech start-ups require the help of traditional insurers to handle underwriting issues, so the incumbent players here are likely to collaborate with and invest in their junior partners.

Regulation and legal work

RegTech is the management of and compliance with regulatory processes within the financial industry, using technology to address regulatory monitoring, reporting, and ongoing compliance. The predominantly cloud-based, SaaS offerings to help businesses comply with regulations efficiently and more cheaply act as the glue between the various sectors of the financial services industry described earlier. LegalTech describes technological innovation to enhance or replace traditional methods for delivering legal services across financial services and beyond. This innovation includes document automation, predictive artificial intelligence, advanced chat bots, knowledge management, research systems, and smart legal contracts to increase efficiency and productivity and reduce costs. With the use of big data and machine-learning technology, RegTech and LegalTech firms reduce the risk to a financial institution’s compliance and legal departments by identifying potential threats earlier to minimize the risks and costs associated with regulatory breaches and any legal work. RegTech firms can combine information from a financial institution with precedent data extracted from prior regulatory events to forecast probable risk areas that the institution should focus on. LegalTech firms can help financial institutions draft documents, undertake legal research, disclose documents in litigation, perform due diligence, and provide legal guidance. These analytical tools can save institutions significant time and money, including saving them from having to pay fines levied for misconduct. The institutions also have an effective tool to comply with ongoing rules and regulations specified by financial authorities, which are constantly prone to amendments.


From banknotes to coins to plastic cards and mobile devices, payments have evolved over the centuries to include a number of ways to help financial transactions take place between individuals, institutions, and governments. Payment technologies and global infrastructures that facilitate payments around the world also are changing. Over the last few years, mobile money has helped millions of people in developing countries get access to the financial system and tackle the goal of financial inclusion. Digital and cryptocurrencies such as Bitcoin, Ripple, and Ether have also entered the payments sector, which is innovating more rapidly than ever with the goal to move value cost-efficiently in real time and at near zero cost. As a result, the PayTech sector is booming; established players closely work with newcomers as there is no end to the creativity of the PayTech and payment industry.

Operations Articles

What’s Disrupting the Financial Industry (And Why)

The financial services industry is in a state of massive disruption lately, in this post-financial-crisis era. Venerable, traditional financial institutions are on the defensive as new upstarts change the playing field in fundamental ways. This disruption is a growing concern for financial services firms at risk from potential displacement by nimbler, data-driven competitors, including those in banking, capital markets, insurance, and wealth management, and is forcing them to evolve to remain competitive. Some of this disruption is coming from the perception that BigTech giants, such as Amazon, Ant Financial, Apple, Facebook, and Google, are likely to roll out industry-changing platforms and technologies that compete with more traditional offerings. However, emerging FinTech start-ups are also challenging the status quo by providing innovative services and increased personalization, particularly in the consumer space rather than the wholesale arena.

FinTech, which is shorthand for “financial technology,” is the drive to bring transformative and disruptive innovation to financial services by applying new and emerging technologies and satisfying consumer needs through automation.

Traditional financial services institutions are right to be nervous about the growing successes of FinTech firms. By their very nature, FinTech start-ups have a number of advantages. Here’s a brief comparison:
  • For starters, FinTech start-ups are nimble. Because they aren’t disadvantaged by inherited older systems and methodologies, they can move faster to create new solutions. Their top leadership is also focused on creating the future, rather than maintaining the status quo, so they aren’t resistant to investing heavily in technological development and innovation.
  • In contrast, traditional banks, brokers, and asset managers have weighty existing systems to support, limiting what they can spend on innovation. They are also subject to greater regulatory and institutional constraints that limit their ability to fully focus resources on new technology.

FinTech companies must provide trust and value

Both consumers and businesses select financial services using two basic criteria:
  • Is it a trustworthy institution?
  • Do the services offered meet my needs at a competitive price while providing value-added services that make my life easier?
Because of this, every financial sector firm faces the same basic challenges today. They are all trying to restore public trust in a post-financial-crisis environment, deliver the services that customers want, and offer the customer an attractive value — all while still making a profit.


In today’s environment, a “trustworthy” financial institution is one that can be relied on to hold up its end of the relationship by being a responsible steward of the customer’s assets and information. This means safeguarding every aspect of the relationship, preventing harm from both internal and external sources. This can include
  • Maintaining the financial services company’s ongoing solvency and success. Nobody wants to use a financial services company that might go out of business at any moment or that doesn’t have the resources to invest in the latest and best capabilities.
  • Safeguarding the customer’s investment, both physically and digitally, maintaining effective vigilance against data thieves and saboteurs. Cybersecurity is critical for this point; a cybersecurity breach that exposes customer or supplier data can damage an institution’s reputation irreparably.
  • Safeguarding the customer’s privacy. Customers want to know that their sensitive financial data is going to stay private and not be compromised by hackers or careless internal handling.
So, who has the edge in this area: traditional institutions or FinTech start-ups? It’s a mixed bag, because they both bring advantages to the table. Customers may perceive large, traditional institutions as being more trustworthy because of their history and gravitas, and a large, well-established business may be more solvent and less likely to crash and burn (although it’s no guarantee, as we’ve seen in recent years). However, FinTech start-ups may actually have an edge on the data-safeguarding front because of their focus on the latest technologies.


The second part of the equation is the services and their value. What does the financial service provider bring to the table that the customer wants? In an ideal world, the customer wants all the services, and all the options for receiving them, for the lowest possible price. The challenge, then, is to be the provider that best meets that demand.

One way that providers are able to offer greater value to customers is through disintermediation. To disintermediate means to cut out some or all the steps between two points — in other words, to “cut out the middle man.” Financial services traditionally has had lots of intermediate steps between a consumer’s need and its fulfillment, creating lucrative careers for stockbrokers, tellers, credit card processors, personal bankers, and even check-printing companies. However, in today’s market, disintermediation is becoming not only the norm but a near imperative to keep up with demand for lower costs and better value.

Fortunately, advancing technology has made it possible to automate many areas of the financial services value chain that were strictly manual operations in the past. This has enabled companies to economically provide services to customers that were expensive in the past due to the labor involved. In this endeavor, FinTech companies are better positioned than their traditional counterparts. They can be more responsive, more focused, and less distracted by legacy issues such as fixed cost, old infrastructure, and dated technology. The established players have been slow to respond to FinTech’s disintermediation and disruption because they haven’t wanted to cannibalize their legacy franchises. Many have attempted to offer digitalization only in noncore businesses or geographical areas. For example, some large banking institutions have experimented with offering new experiences such as payment services that compete with FinTech payment providers. However, these new offerings often require significant investment in new technologies to “get in the game,” such as mobile-friendly site design, cryptocurrency, and digital wallets. They must respond to continually advancing technology, changing consumer habits, and in some cases underserved and underbanked markets.

In China, the most successful FinTech firms have been BigTech companies that developed financial ecosystems in conjunction with their highly engaged consumers. One example, Ant Financial, was created on the back of Alibaba’s e-commerce platform, offering online payments, investments, digital banking, lending, and wallets. This was possible because China’s FinTech ecosystem is fundamentally different from that of the United States and Europe. In Western economies, successful FinTech firms have been disruptors, particularly in the payments, lending, and wealth management sectors. They have benefited from extensive consumer adoption of mobile technologies and internet access. Ant Financial is closer to the notion of TechFin rather than FinTech, where a large technology firm leverages its technology prowess to deliver financial products within its more efficient, broader service offering. It can also do this because it has generated a level of trust with clients that was previously reserved for traditional financial institutions.

Operations Articles

10 Considerations When Using Open Source Technology

If you’re going to use open source in your organization, it’s critical to have a well-thought-out plan for doing so. There are many moving parts and many factors to consider when developing an open source strategy. This article summarizes some of the factors that may make a difference in how you want to proceed.

Your Business Model

Before determining the place for open source in your company’s plan, take a careful look at the company’s business model, current needs, and future goals. A FinTech company can help you identify what technologies are available, what the new trends are in the industry, and what future areas of growth you may want to plan for. You should also think about what open source can offer and how those offerings fit with the company’s goals. Some of the most compelling benefits open source can potentially offer include
  • Speeding up development and time to market
  • Reducing overhead
  • Removing redundancy
  • Increasing efficiency
However, those benefits don’t just magically materialize. The company must take a comprehensive approach to open source usage and management within the company’s structure. This includes having versioning and provisioning processes and takes into account the company’s general tolerance for oversight.

Open Source Community Health

Keep in mind that one of open source’s great potential benefits is the large pool of expert users who share their expertise and updates with one another. Therefore, one important consideration when looking at a particular open source solution is to what extent you’ll have access to such a community.

Here are some easy benchmarks for evaluating the health of an open source community:

  • How well is the project site developed?
  • Have the project site owners thoughtfully curated the resources and tools provided?
  • Is there a ticketing system?
  • Is the documentation well-conceived and regularly updated?
  • How many releases have there been and over how many years?
  • How many forks in the code have taken place?
  • How many contributors have there been over time?
  • How many users are there?
  • How well known is the code outside the project home?
  • Have there been any financial contributions/donations over time toward maintaining and further developing the project?
  • Do any large corporate users contribute to the code or its support?
  • How many maintainers are there?
  • How much has the code changed over time?
  • Are any statistics available about the code’s return on investment (ROI)?
  • How many organizations contribute to this project?
  • How often are there new releases?
  • How often is there code review?
  • How many regressions have there been over time?
  • How many bugs?
A good project site should be able to supply answers to all these questions.

Tech Support

Open source doesn’t follow the traditional support model. No single company is responsible for after-development support. Instead, a community of users and developers have freely assumed the responsibility of providing support and bug fixes.

Technical support for open source code can be problematic if the code doesn’t have an active user community, as we say in the previous section. An active user community can offer information and support that enables a company to deploy a stable open source code logically and systematically. The factors we list there can reliably indicate the code’s stability and quality because they point to there being people who care about the code and its viability. You must do your due diligence and research to determine the community health and, by association, the prospects for getting good technical support.

Keep in mind that the online user support community isn’t your only option for technical support. If you’re deploying a whole open source system, versus utilizing a small snippet of code, your expectation of support may be different, and you may opt for different approaches:
  • For large deployments, it may be beneficial to have in-house support.
  • On smaller projects, it may be possible to subcontract support directly from project’s owner/creator or maintainer.

If you’re embedding open source in your proprietary software, you must weigh the risk of having no control against the level of support and the level of error fixing for the included open source code.


Depending on how you plan to use the open source code, its level of available security may be inconsequential, critical, or somewhere in between. It’s important that you know your company’s security requirements and then compare them to what the product or code provides. One important security consideration is how well the code has been tested/proofed against security attacks. Several out-of-the-box “defects and analytics” tools are available that produce static security reports. These tools reveal possible defects in the code and report them back to the project maintainer. When reviewing a project portal and its documentation, it’s important to note whether you can easily report bugs, review the security protocols, and review any reports of vulnerabilities. Vulnerabilities should be included in the release notes.

Some vulnerabilities are extremely common and readily identified, and any good development process avoids them. Finding such vulnerabilities in an open source product after its release can indicate sloppy development.

The open source world has no quality assurance standardization, so all open source code comes “as is.” You shouldn’t release or use anything that your own company’s quality assurance process hasn’t validated.

Also, no centralized database lists open source vulnerabilities. There is, however, a National Vulnerability Database (NVD) that collects vulnerabilities as they are known. Unfortunately, this database often points out vulnerabilities to hackers, who then exploit them. Most deployed open source is checked against this database, either manually or using automated tools, and any vulnerabilities found are fixed quickly. Someone in your organization should be responsible for reviewing this database and managing any needed changes on a weekly basis.

Code Audits

Many organizations are hesitant to use open source code because of the potential for operational and security risk. Such risks can be minimized by regular and rigorous code audits. Open source code audits are important for two reasons: They expose any potential security concerns, and they expose any potential infringement issues. Not only must an organization have policies governing software selection, vetting, and review, but it must also demonstrate an understanding of the potential interdependencies entailed in the actual use and deployment within a larger framework. Auditors typically look for more than a simple spreadsheet as proof of proper oversight. To survive an open source audit, a company must demonstrate that it has educated its developers on the proper processes to follow before using even one line of open source code. There should also be a centralized repository of all contracts associated with open source that counsel has reviewed.

Staying on top of releases of open source code is crucial to the success of surviving an open source audit. A company’s policies and tools should require regular open source code review. The primary purpose of such a review is to verify that the code has been updated with latest releases and that any known vulnerabilities and errors reported have been fixed.

This review should entail
  • Listing all open source components, the version in your product, and the most current version available
  • A list of vulnerabilities associated with those components
  • A scheduled date by which to remediate any critical issues


When selecting open source software or code, future sustainability is of major concern. Open source code is sustainable only if there are dedicated user and contributor bases. Open source, like all code, has a life cycle, so it’s not unusual if the number of developers decreases over time, as long as the consumption of the product doesn’t wane.

You can easily gauge the value of open source code by simply using standard internet search tools. Social media also supports open source discussion through blog posts and articles discussing projects.

Narrow down your selection to three possible candidates by using this checklist. If your open source candidate holds up positively to these questions, it will pass most internal and external audits:
  • Does it have a large user base? If so, it’s likely to have strong support and a good likelihood of longevity.
  • Does it have a good reputation? Reputation isn’t everything, but it is important.
  • Is it interoperable? You want to be able to use this code easily.
  • Does it require specialized skill to use or maintain? If so, maintenance could be costly.
  • Does it have sufficient, well-written documentation? Because contributors to open source have varying skills, review of documentation is critical. In fact, the use of the documentation to support the code should be part of the quality assurance (QA) done on the open source code before it’s incorporated into production.
  • Has it used open standards? Code built on open standards and practices is easier to maintain.
  • Does it have a good support network? A support network can include not only a user and developer community but also paid support options.
  • How often has the code been updated since its inception? What is its most recent update? Frequent is better.
  • Is the project site well trafficked and well maintained? Does it exhibit good governance and community participation? A review of release notes and user statistics can help in determining this.
  • Is the open source license associated with the product clearly defined? Your legal counsel should review it, and you should make sure no conflicts occur with other open source agreements.
  • Is there any larger group behind the development of the project? A large company that relies on the code or regularly contributes to it is a benefit.

Hidden Costs

Open source is appealing because there’s an implied understanding that it’s “free.” But as we say, nothing is ever really free. You must understand the open source offering and the organization’s needs before you can understand its potential costs. On the surface, there appears to be savings from the outset because you pay nothing for the license and use of the code. There are hardware, maintenance, support, and legal costs, but these too may be less expensive compared to enterprise third-party offerings. Cloud strategies and the use of open source platforms can eliminate some of the network overhead. Though the use of these items isn’t free in that development and deployment costs are associated with them, they should be significantly less expensive than in-house company-owned equipment. There are also other intangible benefits in using open source. For example, faster development time is a real and quantifiable benefit. To understand and manage costs, take a look at the following areas of setup and maintenance, where there can be ownership costs, and determine ways to control and scope them prior to making a commitment. Setup costs include the following:
  • Hardware: Review the project site for hardware recommendations and make sure you have them on hand. If not, the cost of the hardware will need to be built into the budget.
  • Integration: The size of the project will determine the size of the staff. If it’s an application, outside resources may be required. Create a deployment project plan. Analyze interfaces and interoperability. Specialists may be required.
  • Replacement: If this is a replacement strategy, you must understand what components are needed. Data transfer can be time-consuming and may require specialists.
  • Customization: Open source doesn’t mean “one size fits all” out of the box. You must budget for developer costs to modify code to fit your unique needs.
  • Training: New software implies new training and perhaps some slowdown in productivity.
Maintenance includes the following:
  • Updates: Someone will need to rigorously monitor the project site for available patches and releases and take charge of applying them.
  • Customization: Any customization your organization does to the code will require support throughout the life of the product.
  • Support: User and developer support must be available throughout the life of the product.

When selecting open source software, pay special attention to these areas that may necessitate additional expenses:

  • Interfaces: Because of poor user interfaces, less and inconsistent documentation, and lack of training, there could be increased time spent on administrative functions with some open source products.
  • Support complaints: Because of the lack of designated support and inconsistent documentation, your internal team may spend more time on troubleshooting.
  • Bug fixing: Because not all open source projects have a standardized approach to QA and regression testing, your in-house team may be responsible for finding and fixing bugs themselves.
  • Additional development: After you’ve implemented an open source solution, you may find that you need further code development due to some unanticipated issue, such as poor network performance.
  • Extensibility: There are no guaranties that any code will be future-proof. The only insurance you may have is that the code has been built on the latest flexible architecture in any easily utilized language.

Updates and upgrades

Through new releases, programs get new functionality, bug fixes, and higher levels of security and usability. However, with open source, there’s also a more pressing reason that updates and upgrades have to be current — the code is open to all. Anyone can see it when issues arise, including hackers looking for vulnerabilities they can exploit.

When a vulnerability is found, it’s published to the project and later to websites that list all open source vulnerabilities. These lists are fodder for hackers. Luckily, you can use tools — such as Zoho, Bugzilla, and MantisBT — to make sure that you don’t miss updates and that check against the current open source code you’re using for vulnerabilities and severity of them. With internal accountability for fixing issues as they occur and resubmitting them back to the project, you can handle maintenance and security with minimal risk.

Updates and new releases should go through proper quality assurance. Because no standards are established in open source for quality control, it’s your company’s responsibility to see that the standard of the open source code meets the company’s quality standards.

When engaged in updating or upgrading, note that backward compatibility isn’t a given. Testing is a requirement to guard against fatal errors caused by version conflicts. The compatibility issue becomes more complicated when there are multiple uses of different open source projects. In such situations, you should test open source components in the actual environment they function in rather than in isolation. To avoid the risk of vulnerability attacks and of third-party update incompatibility, your company will need to take a regimented approach to updates and releases. The regimen should include a calendared weekly review of all open source updates. You can automate this process using code management tools. All security issues and bug fixes should be prioritized for immediate updates as determined by their level of severity. New functionality should be prioritized according to business needs.

There should be a centralized repository that developers use for all open source code. By limiting the accessibility to the open source code to one repository, you avoid the possibility of different teams using different versions.

Educational reviews of all open source products in use should be shared with the development teams on a scheduled frequent basis.

Potential hardware impact

The ever-increasing demand for real-time computation has driven companies to search for cheap compute environments. As virtual servers and in-the-cloud burst delivery mechanisms are replacing brick-and-mortar server sites, it’s important to understand the costs involved in moving away from physical on-site environments. FinTech companies are well situated to advise members of the financial industry about tactics and strategies to be used to reduce operating costs and still deliver as near to real-time analytics in the areas they are required. Speed isn’t a requirement for probably 80 percent of the data store and manipulation that goes on in most financial firms. With that said, open source has often been a trailblazer in the area of reducing costs by creating and facilitating “free” operating systems. There are of course costs associated with the creation of hardware, which has made open source hardware development projects challenging to achieve. Even with its success, Apache’s web server and Tophat are funded only through corporate sponsorship and user conferences. With the cost constraints around creating free open source hardware (FOSH), FOSH projects rely on the community to build hardware based on the intellectual properties developed (such as data layouts, integrated circuit schema, mechanical drawings, and so on). The academic community has driven FOSH’s creation and development to date. Its hardware development artifacts are captured via hardware description language (HDL). However, utilizing open source software code with open source operating systems and the available security and efficiency tools can result in significant savings. Cost reductions have been reported as high as 44 percent for hardware costs based on intelligent strategies around open source, cloud-based deployments and virtual servers.

Legal considerations

Open source/free licensing contracts test the complexity of good governance and legal adherence. Unfortunately, there isn’t a one-type-fits-all generic contract available for open source. Another layer of complexity becomes apparent when reviewing all open-source contracts a company uses. The contracts often have interoperability issues with each other. And finally, international use of open source may raise other legal restrictions that have to be understood and resolved.

When reviewing the licenses associated with open source, pay particular attention to the following:

  • There should be no audit rights that reach into an organization’s network directly.
  • There should be no fines associated with the inadvertent deployment of unlicensed open source code.
  • See whether you can purchase an outside warranty for the open source used. There are no warranties with open source code. If you use it, the liability for it lies with you as the user.
  • Check to see whether conflicts exist with the use of libraries within the open source code.
  • Make sure there are no requirements to provide written notification of initial ownership or code creation within the code.
  • Make sure there are no restrictions on the use of proprietary code with open source.

Be sure to check the open source project for pending legal actions. Your rights aren’t protected should a lawsuit be launched against a project; your right of use may be obstructed.

There should be regular training about the policies around the use and maintenance of open source for users and developers.

Copyleft is the most common version of an open source license agreement. It allows anyone to change the code, but code the company develops as part of that open source can’t be repackaged as third-party or proprietary software. With copyleft, anyone making changes to the code must make the new iteration available to all. Non-copyleft licenses permit developers to make any changes to the code, including retaining the modification as proprietary. Purists of open source don’t like this version because it violates the spirit of open source and restricts the sharing of all functionality as it’s developed. Corporations, of course, would like to retain control over what they pay their developers to create. Non-copyleft code is therefore more acceptable to corporations and for projects needing fast and ubiquitous adoption. One of the issues with non-copyleft code development is that new functionality may not be resubmitted back to the project and may result in the original code’s use and growth being stifled due to forking. Maintaining a directory of all open source components in your organization is no easy task. Along with the components, you must also track the license requirements and understand the potential for licensing conflicts. There are hundreds of different types of open source licenses, and the licensee must adhere to terms of each agreement it has accepted.

One of the early fears surrounding the use of open source within proprietary software remains a concern today. The broad reach of the open source agreements provides the potential loss of ownership of proprietary software if the proprietary code is inadvertently embedded in open source. This concern can be mitigated only by “best practice” development process, review, and vigilance.