Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Myth versus fact: Open source projects and federal agencies

Kacy Zurkus | Sept. 5, 2016
More federal agencies are shifting to open source which could be great or it could open the door to greater vulnerabilities

Many agencies in the federal government use approved public repositories for open source software development. According to the General Services Administration (GSA) GitHub dashboard, there are 236 federal organizations using a combined 5,254 project repositories.

More federal agencies are increasing their use and creation of open source software to achieve their IT objectives. In order to best prepare for the implementation of even more open source projects, federal agencies need to understand the facts among the many misconceptions and myths surrounding public repositories. 

What's mainly driving the increased use of open source in federal agencies is the reduced costs of a shared platform; however, Jay Jaiprakash, director of technology, Sapient Government Services said, "The shift to open source requires looking at several factors, such as culture, innovation, and architecture to be able to successfully employ the software."

Security practitioners in federal agencies shouldn't be bamboozled by the bandwagon effect of propaganda. Before making the jump simply because everyone else is doing it, it's important that they know their agency.

[ ALSO ON CSO: Your open source security problem is worse than you think ]

"Specific to culture and innovation, an agency must develop the right environment from how new ideas are rewarded to having the right policies. The governance and security teams should collaborate as the combined expertise benefits everyone from the latest ideas to the new enhancement," Jaiprakash said.

In addition to the cost benefit, Jaiprakash said, "Open source provides agencies the opportunity to seek the best solution as they are not tied down to a vendor, their products or upgrade paths."

Because the security ecosystem is forever changing, shared platforms allow for unforeseen circumstances, so Jaiprakash said, "As the agency evolves, this flexibility allows for switching out technologies that don’t work or moving towards a loosely coupled or decoupled architecture, enabling even more flexibility to take advantage of open source components."

According to 18F's "Facts about publishing open source code in government," written by Britta Gustafson and Will Slack, one myth about open source specific to federal agencies is that, "Public repositories are an emerging technology without widespread government use. The people using them are probably not paying full attention to compliance.”

Jaiprakash said, "Although the security risk profile for open source can be considered higher than with propriety software, open source actually includes more testing and reacts quicker with fixes due to the community participation and volume of users."

Another myth Gustafson and Slack challenged is the notion that, "Public repository hosting services are social networking tools with dubious collaboration features; using them would lead to our projects getting unreliable external code mixed into our official work.” 

The truth, said Gustafson and Slack, who referenced the specific policies of 18F as an example, is that federal agencies are actually able to fully control access and permission for their shared repositories.

 

1  2  3  Next Page 

Sign up for MIS Asia eNewsletters.