Software development in the banking and finance industry can make you feel like you’re wearing chains. Regulation, compliance, upfront costs, privacy, legacy systems, fear of cyberattacks, and an “if it ain’t broke” approach can lead to a lack of innovation.
Despite these challenges, some technology-forward banks like Capital One, JP Morgan Chase, HSBC, and Wells Fargo have embraced the cloud and introduced DevSecOps and cloud-friendly architectural practices.
This change has been aided by the fact that cloud providers including Google Cloud, AWS, Microsoft and HPE can now guarantee compliance to banking regulations, and the existence of new cloud-native core banking engines like Thought Machine to help banks move off their legacy systems. This cloud transformation helps banks stay competitive, move away from batch processing towards real-time results, attract engineers, reduce costs and come up with new innovative products.
Part of this cloud transformation means updating the tech stack for developers working in banking- Getting rid of ‘on-prem’ applications and moving to their cloud-native tools.
Cloudsmith is seeing new interest from financial institutes that want to implement a cloud-native SaaS product - they are not demanding on-prem versions of our product anymore. Today, let’s dive into the benefits of cloud-native package management tools for the finance industry.
So what do developers working in banking need from their package management solution? They need to be able to:
In the next few sections, we’ll explore:
The banking industry has been slow to adopt the cloud, and many banks still run their own data centers to process huge workloads. Banks have long understood that using cloud infrastructure has cost-saving benefits but were reluctant to move from their ‘on-prem’ systems due to privacy and regulatory reasons. The distrust in the cloud is waning as the risks are understood, and the technology matures. Much of the push to stick with legacy systems is driven by business-as-usual culture, upfront costs, and priority.
Banks have conflicting priorities, making it difficult to find the IT time when systems are happily working- but the pandemic gave many organizations space to relook and revive their IT strategies. Several large banks have undergone a cloud transformation during the pandemic, including:
“A key factor causing ‘core to the cloud’ to reach a tipping point is that cloud-native core banking software applications such as Thought Machine, Mambu, and Finxact are reaching a level of maturity where the journey is worth the effort, ”
says Alan McIntyre, a senior industry director for Banking at Accenture. Maintaining data centers and staying ‘on-prem’ is not just a case of staying still but going backwards.
We've covered the many reasons to move to the cloud as a finance organisation below.
Banks need to innovate quickly to meet customers' ever-changing needs. Big Tech and Fintechs are putting banks under competitive pressure by offering financial products. Staying still is no longer an option to survive.
Areas to innovate include:
“Everything is moving to real-time,” Rohan Amin, the chief product officer at Chase. Customers want their services, like their balances, updated immediately in real-time. Cloud computing facilitates moving to real-time as a general model.
Banks need to have high availability, resiliency, reliability, and scalability to serve the bank customers with minimum downtime. Cloud-native software can quickly re-adjust its resources to meet demand. When volumes spike in financial markets, traders can use extra computing power to analyze price movements and handle bursts of client activity.
A company experiencing rapid growth can use the cloud to expand its infrastructure and computing power. In contrast, the same company using on-prem infrastructure would have to quickly invest in more hardware, software, and Engineers to keep up with rapid growth.
Banks are becoming less wary of the security of the cloud in part because cloud infrastructure providers and services have matured and can now offer controls validated by third-party auditors like ISO, PCI, and SOC, that prove compliance with privacy and banking regulations.
Cloud has security advantages over on-premise systems that rely on physical servers. A secure system needs a secure building, training, constant security updates, high availability, monitoring, and disaster recovery infrastructure.
Although banking organizations that host their software on-prem take security very seriously, it is expensive and consumes many working hours. Cloud providers are driven to focus on security as their business and reputation depend on providing a robust and secure service. As a result, cloud providers use highly sophisticated security tools and resources beyond the reach of most in-house teams.
Security is a risk when moving to the cloud but by designing a system with security in mind and by incorporating security into your build and deploy process- your system can be more secure than a traditional on-prem system and stay compliant with regulations.
The upfront cost savings of not having loads of servers in a server farm and “doubling up” by maintaining remote locations for disaster recovery—which all banks require—is significant. Cloud software is hosted for you. You don’t have to worry about maintaining your “on-prem” software or infrastructure- no updates, no security patches, no replacing obsolete hardware.
Cloud-native technologies allow businesses to reduce the total cost of ownership for businesses, especially when you factor in the staff costs of maintaining “on-prem,” never mind just the licensing fees.
Devs need a package management solution to handle a distributed workforce giving everyone similar low latency access speeds. Tools that don’t do this can lead to reduced collaboration, developer unhappiness, and lack of confidence in your software process.
Software engineers are hard to come by, COBOL and assembler specialists even more so. Engineers want to work with the latest technologies. Banks need to embrace tooling that takes advantage of the automation and scalability of cloud-native technologies- freeing up your engineering and server resources to build your products.
Migrating to the cloud has helped many banks and financial institutions compete, improve efficiencies, and lower costs. On-premise software cannot compete with cloud-native software in terms of scalability and flexibility.
Cloudsmith is a cloud-native package management tool that makes life simpler for engineers. Don’t worry about infrastructure, patching, upgrades, replications, or scaling. Our cloud-native architecture enabled us to develop a smart CDN for software packages, called the Package Delivery Network (PDN). The PDN is optimized to ensure lightning-fast delivery for deploying or shipping licensed software to your customers.
A package/artifact/image groups together files containing your software, along with the metadata about the software and dependencies in a well-defined format.
Packages promote code reuse, as code can be dropped into another application and used easily. Packages are created using a package manager and are usually stored in a repository, like Cloudsmith (Read our article for a more comprehensive introduction to package management).
The table below details some common software packages used in banking and fintech:
Package Format
Language
Package Manager
Central Public repository
Maven
Java
Maven/Gradle/ivy/sbt
Maven Central Repository Gradle Pluginl
NuGet
.NET, C#
NuGet/Chocolatey
NuGet
PowerShell Gallery
Chocolatey
wheel package file
Python
Pip
PyPI
Helm charts
Kubernetes
Helm
ArtifactHub
Docker image
Docker
Docker
Docker Hub
Go module
Go
Go
No official central repository for Go
Crates
Rust
Cargo
Crates.io
Conda pacakges
Conda
Conda
Anaconda
sbt plugin/Maven
Scala
Sbt
Maven Central Repository
R Packages
R
CRAN
R Archive Network
Lua modules
Lua
LuaRocks
LuaRocks
binary
C++
Conan or none
ConanCenter
If you're curious to learn more about specific package formats, check out our articles:
Banking applications tend to use programming languages that support high-performant computation 'cores' with the least amount of pain, easy to maintain and are stable over time.
Java is used extensively in the financial services industry, so Maven is one of the most popular packages used in banking. Scala seamlessly integrates with Java and is extensively used for large-scale processing. C# and its NuGet packages are popular in banking for similar reasons to Java. C++ is often used in projects that require speed like trading systems but it is often associated with the legacy banking systems.
Go, and Rust are the new kids on the block in banking and replacing some core bank functionality. They are both super fast, have nice modern features, and developers tend to find them simpler and more enjoyable.
Data in banks is growing day by day, it’s driving new insights, security, and new products.
Data scientists, data analysts, and software engineers in banking analyze large datasets and require high performance- particular software formats specialize in data analytics including Python, CRAN, Conda, and R.
Banking in the cloud requires specific package formats like Docker for containerization, Helm for deploying apps to Kubernetes cluster, and Terraform to automate the provisioning of resources to cloud infrastructure.
Cloudsmith is a universal, secure, and cloud-native package management platform built for modern enterprises and distributed teams. We support all formats, including Maven, NuGet, Go, Scala, Rust, Docker, Helm, R, Lua, Conda, and raw file formats, which can be used for any file format, including binaries.
Because it is unusual for any tech stack to use only one type of format, Cloudsmith provides universal, multi-format repositories. Multi-format repositories allow you to store packages of different types in one repository. They are especially useful if your tech stack uses multiple languages and containers and can help simplify and reduce the number of repositories you manage.
Cloudsmith blends package management and software supply chain management, storing all your software artifacts, dependencies, and metadata. Have one place to store, manage and secure all your packages accessible from anywhere in the world without compromising performance.
The attack surface for the software supply chain is vast. It includes all of the steps that go into developing and deploying your software including:
Recent attacks like SolarWinds, CodeCov, Log4Shell, and attacks on public repositories have prompted efforts to improve the security of software supply chains. The focus on supply chain security has highlighted the importance of package repositories and package management.
Over 80% of software contains open-source software (OSS). 3rd party OSS dependencies are used in all software, including the financial services supply chain. Proprietary software is not more secure than OSS, but an exploit in a popular OSS can have a huge impact. A critical exploit in the Log4J open-source package, Log4Shell, has sent ripples in banking circles due to the extensive use of Java in banking.
The answer is not to turn away from open source, but to adopt techniques to increase trust in builds and artifacts like OpenSSF’s sigstore, scorecards, SLSA levels, in-toto, and utilize and generate a Software Bill of materials (SBOM).
In order for banks to use a SaaS-based package repository, they should expect:
If banks are going to use cloud SaaS products to store their packages they need strong security features to prove they are trustworthy:
Private repositories that support many formats provide one single place to track, manage, distribute and understand all software pulled into your stack. A central trusted store forces you to apply processes and controls to that ingress/egress of software packages.
Package repositories can secure your packages and interrogate the provenance of packages:
Package repositories should promote automation by applying Continuous Packaging (CP) techniques to integrate programmatically with CI, CD, and scanning tools. Automating as much of the software supply chain as possible can significantly reduce the possibility of human error, improve quality, and traceability and help make builds more reproducible.
A software supply chain attack is a cyber-attack that seeks to damage an organization by targeting elements in its software pipeline like its open-source dependencies. A report conducted by the EU Agency for Cybersecurity (ENISA) projected “2021 may have 4 times more supply chain attacks than 2020”, with more than half of these attacks being attributed to Advanced Persistent Threats (APTs) from nation-state actors.
There has been a massive effort by the US Government and OSS foundations led by the Open Source Security Foundation (OpenSSF) to help maintainers and consumers of OSS build secure software. Early this year, in the wake of the vulnerability exposed in Log4j, The White House convened government and private sector stakeholders to discuss how to improve the security of OSS as it is “a national security concern.” There is a particular focus on securing projects used by critical infrastructure such as banks.
Last year the US President issued an Executive Order mandating a Software Bill-of-Materials (SBOM) for critical software. OpenSSF’s sigstore is another high-profile initiative to secure the OSS supply chain by making signing OSS packages easy and meaningful.
Securing software supply chains will require a combination of using secure developer-focused tooling, an increase in automation, education, and adopting new strategies to trust and verify open source dependencies.
Cloudsmith establishes trust and provenance in your software supply chain, including your OSS 3rd party dependencies, by surfacing your package metadata informing you about the package checksums, how, and who built your packages, and what dependencies are in your packages. Cloudsmith also isolates and protects your software supply chain from public upstream sources like Maven Central by proxying or caching your OSS artifacts.
Cloudsmith has started work on integrating with emerging technologies to help trust and secure the open-source supply chain. Cloudsmith will be releasing support for:
Nobody wants banks to be the first adopters of unproven technologies. Cloud infrastructure has matured to a point where many tier-one banks are undergoing a cloud transformation.
Cloud-native package management solutions are part of this transformation.
Software developers working in finance need package management tools to work with their package formats such as Maven, Conda, Scala, Go, R Packages, Docker, or Helm.
On top of that, finance software developers need tools that are easy to automate against to help them secure their supply chain, that scale as they grow, and can work with a distributed team.
If you’re a fintech or a banking organization that’s looking for a simple solution to secure development artifacts, you can sign up for a free 14-day trial and set up your first repository in just 60 seconds.
Signup for a free trial
