At JPMorgan Chase, we rely on open source software to help drive our innovation. Our more than 53,000 global technologists utilize thousands of open source packages to develop tools that give our company, clients, and customers an edge. Today, we took a step to enhance the security of these packages and make our operations – and the entire ecosystem – more resilient. We are proud to have worked with Open Source Security Foundation (OpenSSF) and its members, to create the new Open Source Software Security Mobilization Plan, which will help to address security issues in the software supply chain.

Why is securing the Open Source Software Supply Chain important?

Our technology is only as good as our ability to secure it. Like all software, open source code bases have vulnerabilities within them. In 2021, NIST reported that more than 22,000 unique vulnerabilities were discovered that year and reported as Common Vulnerabilities and Exposures. Understanding and mitigating vulnerabilities before going to production helps to reduce the risk in investments and removes friction for developers deploying code. 

Securing the software supply chain is critical to protecting our customers, maintaining their trust, and running our services without interruption. Open source code is integrated in software solutions provided by nearly all service providers across the world. We need to understand what goes into the technology that we consume, its provenance, and how to verify its integrity if we want to secure it. This is what we mean by securing the software supply chain.

What is JPMorgan Chase’s connection to the Open Source community?

We have a long history of building successful open source projects, forging open standards, and contributing to the open source community at large. In the early 2000s, we developed Advanced Messaging Queuing Protocol (AMPQ), an open standard for passing business messages between applications or organizations. More recently, we launched Quorum, an enterprise-grade, open sourced, permissioned blockchain network that empowers businesses of all types to build high-performance applications at scale. Our contributions and strategic investment in Quorum is a testament to our technical prowess and ability to create value in this space. In 2020, we sold Quorum to allow it to become a broader industry standard.

As a Fintech Open Source Foundation (FINOS) member, we have contributed to and maintained projects such as Perspective, an interactive analytics and data visualization component, and many other open source projects on GitHub.

Driving security collaborations across Industry

In 2019, JPMorgan Chase partnered with tech giants, like Microsoft, IBM, and Intel among others, to form the Open Source Security Coalition (OSSC). In 2020, we were a founding member of the OpenSSF, which supports and advances the security of open source software while bringing together efforts from the Core Infrastructure Initiative, GitHub Security Lab, and more. Other founding members include Google, GitHub, IBM, Intel, Microsoft, NCC Group, and Red Hat. As one of the OpenSSF premier members, we have supported and contributed to its projects and initiatives. 

To inform our vulnerability management process, we are working to ingest and consume Software Bills of Materials (SBOM). A SBOM is like an ingredients list for software – it identifies which code packages, including open source, go into a piece of software that has been developed. In 2021, we launched a Financial Sector SBOM project with the US Department of Homeland Security, National Telecommunications and Information Administration, an agency of the US Department of Commerce, Financial Services Information Sharing and Analysis Center, and other global financial institutions including Bank of America, Citi and Morgan Stanley, to employ a provisional SBOM format and exercise SBOM use cases for production and consumption. The goal of this ongoing initiative is to demonstrate the successful use of SBOMs and encourage cross-sector efforts to establish standardized formats and processes.

Security is a process, not the end state

At JPMorgan Chase, security is everyone’s job. We regularly share security best practices with employees, train our developers on secure software development, and invest in automated tools that identify security issues in code. As our developers contribute to open source projects, this focus on training and enhanced security processes will contribute to the broad uplift of security across open source software. 

We are committed to following professional and technical standards for the open source code that our developers upstream or release themselves. We continue to support and take an active role in shaping industry and government’s efforts to secure the open source software supply chain, including today’s Open Source Software Security Mobilization Plan