Switzerland has recently enacted a law requiring its government to use open-source software (OSS) and disclose the source code of any software developed by or for the public sector. According to ZDNet, this “public body, public code” approach makes government operations more transparent while increasing security and efficiency. Such a move would likely fail in the U.S. but is becoming increasingly common throughout Europe.
According to Switzerland’s new “Federal Law on the Use of Electronic Means for the Fulfillment of Government Tasks” (EMBAG), government agencies must use open-source software throughout the public sector.
The new law allows the codifies allowing Switzerland to release its software under OSS licenses. Not just that; it requires the source code be released that way “unless the rights of third parties or security-related reasons would exclude or restrict this.”
In addition to mandating the OSS code, EMBAG also requires Swiss government agencies to release non-personal and non-security-sensitive government data to the public. Calling this Open Government Data, this aspect of the new law contributes to a dual “open by default” approach that should allow for easier reuse of software and data while also making governance more transparent.
I mean wouldn’t everything be a security concern in relation to government agencies?
I work for the UK government. Everything my organisation does is licensed in either MIT or OGL (https://www.nationalarchives.gov.uk/doc/open-government-licence/version/3/)
Developing code in the open really helps ensure you nail down your secure coding practices.
In my opinion especially security code needs to be open source…
Nothing like bored programmers on the internet to nitpick the governments code.
If you don’t release your source code due to security concerns, you just announced to the world that your software is vulnerable and you’re relying on security through obscurity.
never let them see you cry
Meh, not really. The risk with making it publicly available is that a nation state or leet hacker types can comb over it and find exploits or know what libraries/etc you are using so when a zero day pops up they can target you directly. Whereas without direct access to th source code they’d have to do their own enumeration and surveillance.
There is some security through obscurity.
Also, just want to point out: being open source doesn’t mean it’s more or less secure. There is plenty of vulnerable open source code out their.
I feel like a lot of the front ends can be open sourced.