New documents convey message that open code can be as secure as closed code if the right steps are taken
Government organisations should keep some elements of the data closed when they release source code for software, and not rely on closed code as their only security measure, according to new guidance from the Government Digital Service (GDS).
It has included the recommendations in two new documents that update its guidance on opening up source code, reflecting what it describes as two big concerns over the process.
Anna Shipman (pictured), open source lead at GDS, said in a blogpost that the move has come with changes in thinking on security, and that the previous code is no longer relevant to some areas.
The guidance on when code should be open or closed includes the point that some elements should always be closed, notably the keys and credentials, algorithms used to detect fraud and anything on unreleased policy.
Configuration code, database schema and security enforcing code are all fair game to be opened up, although there is a need to ensure that configuration code does not contain any keys or credentials.
Security factors
Recommendations in the document on security considerations include opening the code early in a project to address security as it goes along, and following good development practices such as compiling comprehensive documentation and using clear commit messages to explain any changes.
Using closed code should not be the only security measure, as attackers can still find details of the code when it is closed. Instead, the document urges organisations to take a ‘defence in depth’ approach, coordinating the use of several countermeasures, to keep their systems secure.
The overall message is that open code can be just as secure as closed code if the right steps are taken.
The guidance is based on industry standards and has been reviewed by the GDS security engineering team, the National Cyber Security Centre and representatives of Whitehall departments.
Padlock analogy
Shipman said: “In simple terms, we can compare coding in the open to how padlocks work. Everyone knows how padlocks work but they are still secure because you cannot open them without the key.
“Security enforcing software works in the same way, and good cryptographic algorithms are reviewed by many professional peers. Security is improved through public review.”
She added that GDS is still seeking peer review on open code and subjects its own code to penetration testing, in line with the Security Design Principles for Digital Services.
Image from GOV.UK, Open Government Licence v3.0