Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Can Openness in the US Government Lead to Better Application Security?

DZone's Guide to

Can Openness in the US Government Lead to Better Application Security?

How does a policy of code reuse tie into the idea that code will be used in ways that developers cannot anticipate?

· Performance Zone
Free Resource

Transform incident management with machine learning and analytics to help you maintain optimal performance and availability while keeping pace with the growing demands of digital business with this eBook, brought to you in partnership with BMC.

white-house-application-security.jpg

On Tuesday morning, ZDNet reported that the U.S. government has published a new federal policy that aims to encourage more agencies to open-source custom code they’ve developed.  

According to the piece, the policy draws attention to the waste that occurs when agencies purchase substantially similar code because other agencies haven’t made their code discoverable or available.

In principle, I really like this idea. I fully believe that openness can lead to better security. In government, this is doubly important, as we all have the need to trust the software used to govern.

In cryptography, Kerckhoff's Principle says that cryptographic software should be secure even if the software, algorithm, cipher text, and plain text are all available to the attacker. I believe this is true for all software. This is why you can use FreeBSD safely even though the attackers have all the source. 

Take voting software, for instance. It's currently closed, difficult to audit, and people are strongly motivated to "influence" the election. What if the manufacturer pulled a "Volkswagen" and decided to work properly when tested, but in a real election, it favors one candidate or party? How would anyone know?

However, I'm a little skeptical about the drive to share. Most software isn't designed for reuse...particularly software written under contract for a specific agency. Contractors may inadvertently be influenced to make their code *less* reusable! They get paid to write new code remember. Government software is in desperate need of security. I think this helps. If nothing else, this creates an incentive not to be embarrassed. Mudge's new software labeling project has the same effect. Still, even though many eyes make all vulnerabilities shallow... Getting those eyes isn't guaranteed. It might not even be possible. Many projects to audit open source code have failed. It's a lot of work. Perhaps the qualified reviewers are doing paid bug bounties? Wonder if that's coming next.

Ultimately, open source projects only succeed when you build a community around a piece of software. I've had some that worked big, and a bunch that never caught on. I don't see a plan here to make it fun. Why would I look at software for HUD and contribute to make it better?

So, to me, this is one good step on a long hike.  Welcome to 1998, Government! 

Evolve your approach to Application Performance Monitoring by adopting five best practices that are outlined and explored in this e-book, brought to you in partnership with BMC.

Topics:
open source ,code reuse ,government

Published at DZone with permission of Jeff Williams, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}