Government Digital Service (GDS) has outlined that open source coding can be just as safe as closed code – as long as there is the correct guidance.
Two new documents updated GDS’ guidance on opening up source code, outlining the two big concerns over the process and how businesses can overcome these. Their guidance areas cover when code should be open or closed and security considerations when coding in the open.
The GDS gives government organisations two documents of advice
From the advice, the documents suggest organisations should keep some data closed such as keys and credentials, algorithms for detecting fraud and unreleased policy. All other areas should be open coded like configuration, database schema and security enforcing code.
Having open source coding can create better codes, increase user engagement and support collaboration. Guidance from GDS suggests organisations should open the code earlier in projects, that way security can be addressed throughout the process.
Though businesses think closed source code is the best security measure, GDS explains it shouldn’t be solely relied on as hackers could still find details of organisations codes when closed. Open code could prove to be more secure, by using cryptographic algorithms.
VMware focuses on open source
What businesses are embracing open source software?
Anna Shipman, open source lead at GDS, said: “The new guidance addresses why open sourcing code that performs a security-enforcing function is beneficial. In simple terms, we can compare coding in the open to how padlocks work.
“Everyone knows how padlocks work but they are still secure because you cannot open them without the key. This will make it easier for your organisation to develop and deploy secure and open services, and should address your concerns around coding in the open securely.”
Content from our partners
Overall, government bodies should use both open and closed source codes across their organisations. Both areas of guidance have been based on industry standards, reviewed by GDS security engineering team and the National Cyber Security Centre.
