Brewing in the Dark: Homebrew and Software Supply Chain Security in Financial Services

Homebrew is the default package manager for macOS and it’s already running on your developers' machines, sanctioned or not. The instinct in financial services is to block it. Blocking it doesn't remove it; it turns it into shadow IT.

Traditional security tooling wasn't built to see Homebrew directly. EDR infers activity from process execution paths. Network monitoring watches for traffic to GitHub and bottle registries. File integrity scanning detects new executables in brew paths. These signals are indirect and incomplete: packages installed but never run are invisible, cached bottles bypass network detection, and installs that don't require sudo slip past privilege monitoring entirely.

In a regulated environment where software supply chain integrity, SBOMs, and audit trails are non-negotiable, this isn't a theoretical risk. Open source doesn't stop being open source just because your security tool didn't log it.

This talk examines why "just ban it" fails in practice, and what a realistic, compliance-aware approach to open source tooling looks like for engineering teams that can't afford shadow IT.

Event Details

The Open Source in Finance Forum (OSFF) is the premier event that connects the leaders in financial services, technology, and open-source innovation. This conference is uniquely designed to foster partnerships, advance talent development and accelerate technological advancements across the finance industry; building faster, trusted and secure solutions.

Secure your ticket: (https://events.linuxfoundation.org/open-source-finance-forum-toronto/)