 Good afternoon, everyone. Hey there. Hey, welcome to OpenJS and Finance. Thank you, Gabb and team at the Fintech Open Source Foundation. We are so excited to participate with you all. I'm Robin Ginn, executive director of OpenJS Foundation. My name is Daniel Cusano. I am a senior engineering manager over at GoDaddy, and I also sit on GoDaddy's board seat for the OpenJS Foundation. So I am a board director. I like saying that. Working board director, super active. Yes, you are, like many of them. I appreciate that. So today, we're going to talk about the survival guide, JavaScript survival guide for financial services. So we jump in? Yeah. Let's jump in. So as we jump in, I just want to set a little bit of a context setting, lay of the land. I don't think anybody here in this room is going to be surprised to learn that there are about 1.8 billion websites out there in the world, and 98% of them use JavaScript. JavaScript is everywhere, and most people are using JavaScript, whether they know it or not. But JavaScript is not confined to just the web. That is only one vector to which you might encounter JavaScript in your daily life. JavaScript shows up in IoT devices. It shows up in many different places, including space. It even shows up in space. And this is sort of one of my favorite case studies, in addition to now Capital One, of course, previously. But we did a case study a while back about how Node.js is used in a spacesuit monitoring solutions. And we were really lucky to have astronaut Christina Cook come to speak at one of our conferences. She spent a year on the space station. And she talked even more broadly about how JavaScript is being used at NASA, and some of the solutions they have for monitoring and how they're even having to build special gloves so they can do the touch on the screens with JavaScript. So really cool mission-critical work happening at NASA. Truly mission-critical work. So let's just take a step back and just talk more about the projects that we have. I think you all have heard more about Node.js and Electron today, but we are a collection of 40 projects. We have JQuery, ESLint, Webpack, Fastify. I saw a whole list in Noah and Steve's presentation earlier today, NBM, a lot of great projects. And the OpenJS Foundation was created about three years ago by the merger of the JS Foundation and the Node.js Foundation. And we knew that sort of working better together that we could really drive more advancements in the JavaScript space. And as you look at this list, you know, thinking about finance, you know, a lot of these tools, these may not be, you may not call them business differentiators, coreline tools, but these are the building blocks that, you know, if you're a developer, these are the building blocks that you're using, your developers are using. And even if maybe you might not be, your vendors are using these tools. These are, they may be small, but they're very important. And even the smallest part of our ecosystem is incredibly complex. These projects, they're core building blocks. They may not be fundamentally powering, but they enable and they provide a force multiplier. And they're very important. And just because they're not large doesn't mean they're not important. This particular XKCD comic makes the rounds a lot. And while we sit here and laugh at it, you know, it's like a little bit of a joke because it's true, you know, some of these small projects, they're incredibly important because they underpin a lot of the great infrastructure that we build upon. And this pattern is not just exists within JavaScript projects, it exists across the wider open source ecosystem. And this could keep you up at night, but don't panic. It presents a challenge rather than a fear. The challenge is how do we keep the JavaScript ecosystem trustworthy and modern for its astronomical user base? And this is a challenge that the foundation we look at and we kind of enjoy taking on. It's not flashy work. It's important work. It's work that has to be done. And if we look at, you know, we think about that previous comic of that little sliver holding the rest of it up, that Nebraska project, as we affectionately call it. If we can't make that project bigger, can we make it stronger? Can we make sure that it can live up to that task of holding up everything that we build and work upon? Companies are making big bets on open JS projects. NASA and Netflix, how can this distributed group of open source developers plan and prioritize their projects for stability? That mission statement is what the Open JS Foundation is here to work on. We hope to, and what we work on and what we want to do is we want to provide that backstop for these projects. We want to eliminate the noise and provide support so that the JavaScript ecosystem can focus on what it is that they do best. One way to think about it is we want to remove the friction. And we want to, by removing the friction, we hope by removing the friction, the projects can be stronger and the ecosystem can be stable. It's not usually the code that's broken. It's everything else. And that's where we can kind of step in and help. Great. One of my favorite stories about how a small open source project started and really grew was Fastify. Fastify helps with your web performance. And it was started a few years back by Mateo Kalina and Thomas Della. And they really did credit the backstop of the Open JS Foundation as helping them to build that. And I think in 2020 they had about, let me get this right, about 500,000 downloads a week or a month, and now they have about 800 downloads a week. And they've really just grown their ecosystem through the communities that they've met and worked with and engaged at the Open JS Foundation. Fastify is being used in a lot of major companies. I know Steve talked about it at Capital One. Netaporte is another one of my favorite case studies. We're sort of in a fashion capital here as well at this financial conference. And Netaporte, big Italian UK fashion house, holidays obviously really important to them. They were having problems, of course, during holiday peaks. And the work that Fastify provided for them really, they credit the Fastify project for really bringing them through that and helping them be faster and more responsive to their customers. So it's one of my favorite sort of success stories as we've seen. But Mateo and Thomas, they rely on us for a lot of other things we've registered. Their trademark, we help with some of the compliance and all of those wonderful things that I know that they're busy with their startups and node projects and everything else. So it's been a good story. And one way I like to think about it is could they have done it without us? Probably, but we don't need to know the answer to that question because they didn't have to. We were kind of here to support and provide that backstop. So digging in a little bit, when we talk about, I mentioned a little bit, there's a lot of noise, there's a lot of friction. Open source is not just about code. What am I meaning when I'm talking about this? We've got this kind of great slide here that I know that you've used in a couple of different places that really kind of illustrates everything that goes into an open source project. Everything an open source project needs to think about. And depending upon the size of the project, they may not need every single one of these bullet points, but every project needs something out of this wheel. Every project needs to be able to demonstrate its value. Otherwise, why would I need to use it? Why would there be adoption? Neutral management, as a project grows, this becomes a very important subject for trust and validity. Like is it going to be at a safe home in a safe place? Will it have continuity? Developer recruitment and relations, you can't have one person maintaining an open source project at Infinitum. They burn out, they get tired, they want to move on to other things. Training, people got to learn how to use the software. Content, you got to write technical documents, you got to write documentation, code samples, SDKs, FAQs, marketing. You know, I can't use a project if I don't even know it exists. And then there's IT beyond version control. Yeah, it's great that you can go on and create a GitHub repo, but you need the CICD, you know, GitHub helps with that, but like there's all sorts of where the environment's going in, how am I getting the builds running? How do I, you know, check in everything? How do I distribute? There's just so much that goes into an open source project and a good chunk of it can sometimes feel like noise. And these are things that something like OpenJS Foundation can help with. And so this is originally when Robin and I were kind of working on the slides. I was just like, we just need to put in an RTB slide at GoDaddy, we call it RTB, run the business. I think you said Microsoft calls it rhythm. Rhythm of the business. And so this is kind of, you know, what exactly does the OpenJS Foundation do? What are kind of the projects for it? Well, we got all sorts of these things that different projects need, different amounts from us, but there's IP management, trademark, there's dealing with certification and hackathons and licenses, public relations, marketing. You know, we have a Twitter account that goes out and we talk about our projects and we boost Zoom accounts, Slack, just all this stuff that we try to make sure that we're here to provide on an as-need basis to our projects. Yeah, I like to say we're like the product team around an engineering or developer group, so. These are kind of like the day-to-day stuff. There's obviously kind of, what are kind of some of the big things that we're working on? What are the things that we're adding in 2023? And so I think to kick that off, Robin. Yeah, and so for us, I mean, of course, security has always been important, but even more so today. We recently kicked off an OpenJS security collaboration space, and for us, a collaboration space is like a SIG or a working group. And we are taking ambitious security goals that cover all of the JavaScript ecosystem, not just OpenJS projects. And really, we're looking at a couple of areas. One is sort of creating some best practices that's really important in drawing on what we're learning from others, including the OpenSource Security Foundation. And then the second one is the package vulnerability and management reporting. I know our team thinks CVEs have become like car alarms, so that's something that we're trying to focus on in the next year. And so if that's something that you're interested in, sort of in the broader space, we'd really welcome your participation. You want to hit the next one, and I'll talk a little bit more detail. So we've heard a lot about Node, and we heard about how the OpenSource Security Foundation Project Alpha awarded the Node.js project its first grant. And that's because Node is critical. They have a criticality score, and you'll see Node had two billion downloads last year, so huge. They're growing all the time. You saw from all the releases, they're very stable, reliable, from the code to the community, so that's really good. And we believe sort of the foundation sort of helped kind of provide that nice, neutral base. So Project Alpha and Omega, Project Alpha is essentially, let's identify the most critical projects in the OpenSource ecosystem and provide direct support. Omega is like tooling for sort of the long tail and for everybody to participate in. So we're really falling under that Project Alpha program, where Node got that first grant that's providing support in the tune of two people who we are funding to do some security work, triage support, and then setting, and then I'll explain some more detail on that next slide. So I encourage you to take a look. We've been blogging monthly and Raphael, who's one of the security leads, has been really documenting this in the Project Alpha repo as well. And you'll see kind of the top four things that the team has been working on. They reactivated the security working group and more people are coming along because that's really important. We know funding won't be there forever, so we need to be sort of self-sustaining in that regard. So they're tackling more. Security vulnerabilities at a faster pace. We're working on, we, the engineers, or the developers on the Node project, are working on a dependency vulnerability workflow, which is pretty interesting and you can read more about that. Looking at a threat model, which is really important to really better the project and for the community and users to understand what is and is not considered a threat. Working on a best practices document, which is done, I encourage you to take a look and then a permission system to really sort of avoid third-party libraries from accessing the code without consent. So those are some really important things and then next year we're gonna take on a couple of more goals with this group and do more on ecosystem adoption and so what we're going to do is to reach out to all of you if you're interested and we'll have some Node security folks be willing to come meet with your companies and do workshops and things. All right, so we just got a second grant from the Open Source Security Foundation, again, Project Alpha, Critical Project. So jQuery, as I know Jory Verson likes to say, you may not know you need jQuery but everyone is using jQuery, 77% of the world's websites, still taught in coding boot camp, still use broadly everywhere. And you just sort of look at the CDN, just how enormous it is. It is actively maintained by a wonderful group of people, global folks and so we're really happy when we just got another grant and I'll give you a little more detail. So this was just at the end of October and this is kind of taking a different twist. This is more about sort of securing the consumer web. We know that jQuery is used by folks or by folks in other projects that maybe are not as technical as somebody who has a different type of app. So our first phase of the campaign is we're gonna be working with IDC and we're doing an ecosystem risk audit just to really understand sort of the levers on identifying folks who are using jQuery and their websites and maybe what would encourage them to either upgrade or to move off jQuery. So it's essentially use jQuery less kind of program. Also doing a lot of work with modernizing its infrastructure as you can imagine, it's 15 years old, it's a very small team, it's not sometimes our legacy projects don't get the love and support from the industry as the newer ones so this grant is really helping them sort of get over that hump. We've been working with them for a couple of years to modernize the infrastructure and this will really just make it really long-term sustainable in a much more efficient way. And then the campaign I mentioned, once we take our learnings from the risk audit, we'll be working with a number of folks to educate broadly end users about jQuery and trying to get them again to either move to newer, safer versions or to get them off and onto something else. And then another sort of important piece on sort of educating the broader community is the work that has been done with the Node.js training and certification. This was a program that was really, that the community asked for back in 2016 under the Node Foundation. They took a lot of feedback on GitHub and then we took it inside at the Linux Foundation training, programatized it, hired some great experts with Node.js in near form and David Clemets who you may know and so we have that program. The cool thing about that is it gets upgraded as the Node project does its updates so it is always current. Okay, I'm gonna hand it over to you. So we've talked a little bit today about what the Open.js Foundation is, how we view our support of the Open.js projects but to kind of tie it back to the reality of the situation is hey, you're still at your company, you're making, when you bring in an open source project into your projects, you are for better or for worse, you are making a long-term bet on that project and what should a company be looking for when they're making that long-term bet and I'll be honest with you, it's still gonna be the same things. You're gonna be looking at the activity of the project, you're gonna be looking at the people you trust, you're gonna be kind of looking at the behavior of the project. The foundations like us exist to not only, like I mentioned, eliminating the noise for the projects as they run themselves, our hope is, is that we eliminate some of the noise as you evaluate the projects that you choose to use knowing that some of those what abouts and the big ifs you can feel a little bit safer and secure that there's a foundation that is well funded that exists to, if we're helping eliminate the noise for maintainers so that they can maintain higher quality projects, you can have a greater basis of trust as you see these projects and hopefully not only just the OpenJS Foundation projects that you see maybe have an increased amount of trust in across the wider ecosystem knowing that a lot of the projects that we support are tools used to build yet other projects that may not be a part of our foundation and that just kind of, we're hoping rising tide lists all boats kind of waning up that trust. And trust is knowing that there's that support in the background and that OpenJS Foundation along with many others is there to provide that support. Our policies prioritize stability and openness. We are here, we seek to OpenJS, we seek to advance policies so that the industry can confidently enter the entire JavaScript ecosystem and that these policies to the greatest extent possible we encourage discussion in public. You can go find our public board meetings, a lot of the collab meetings on, I think all the videos are on YouTube, we've got notes, everything, the decision making processes that we make are as public as we can legally make them. And beyond that, there's the concept of open source and open standards and sometimes there has been a divide between the two but at the OpenJS Foundation we look at trying to bridge the two, like we, many of our members participate and we have strong relationships with open standards body, being just but one of them in terms of making sure that the open source and the open standards are supported and provided the resourcing and attention that they deserve as well. And then lastly, our governance model was specifically designed to give a strong voice to our projects. We're not, the OpenJS Foundation is not here to kind of take over and run the projects. We, when I was talking with Robin and we were putting this together, the idea of like we're not here for staffing, we're here for support and that goes the same way with the governance. We wanna make sure that there's, the individual project members have a voice in terms of how the OpenJS Foundation works and how we interact with the member projects. You should make sure if you did not attend Sarah's keynote earlier in the morning, I'm sure our recording will be up and you can listen to that and see her perspectives and her talk about governance and bureaucracy when around open source. Yeah. And really what's great is that we are supported by some wonderful members like GoDaddy, obviously. Netflix, Google, IBM, joint Microsoft and gosh, more and more members joining at the silver level. A lot of our new members in the last year did come from the financial services industry. We had Capital One, American Express, Bloomberg. So obviously, and I think there's been kind of a theme here too that you all have a large number of developers working in your companies and I think it's great sort of thought leadership to see you all contributing back. So that's been pretty great. Yeah, so what I would invite you to do is really, if you would like to participate more specifically in the JavaScript ecosystem, we're a great place to be, security, we need more help and I like to say that you can shape the future of JavaScript and this is kind of another Sarah Chipps reference right here. This is Ellie Galloway. She spoke at our conference in 2019. She was 11 years old. She really sort of is one of the future leaders in JavaScript. So as we sort of build, we can build up more programs and campaigns. Shout out to Ambika who were co-chaired with the Grace Hopper conference that the Node project was active in this year. So really would just invite you to join us. We have a page on our website. It's openjsf.org slash collaboration. You can get invited. There's an open invite to our Slack channel, our calendar. Again, they're open for you to join. All kinds of things are events. Yeah, so that's good. Thank you all. Five minutes. Anyone has any questions? Oh, I have stickers at that table if you're interested. Yeah, question. So are you, it's like an internship or an employee loan program. What are you? That is a great, that is a great idea. I think we found that a lot of the developers on projects are employed by big companies. Some are, like Electron's a great example where there's a lot of great enterprise support with developers, but then you look at Node.js and a lot of folks are doing that on their free time. Shout out to IBM and Red Hat, though, who provide people hours to do that. But yeah, absolutely, I'd love to brainstorm with you on how we could do that. Some companies encourage or give people time. Yeah, yes, absolutely. Beth Griggs, who was here earlier, I think half of her time at Red Hat is dedicated to that. Even Joe Seppi, who's our cross-project council chair at IBM, half of his job is just supporting and running that it's essentially our technical oversight committee. Yeah, Microsoft and Slack have employees working on the Electron project. Even at GoDaddy we have people part-time on different open source projects. We have a couple of full-timers on the WordPress project. GoDaddy has a lot of surface area with WordPress, so it just depends on the business, but yeah, that's not uncommon. I mean, technically, I take a couple of hours out of a week here and there to participate with the OpenJS board and just keep up to date and steering and participating and conference planning and whatnot. Yeah, very active. Even one of our lead jQuery maintainers gets a half a day a week to work on jQuery. The small company in Poland, yeah. All right, thank you, everyone. Thank you. Thank you.