Dispelling Myths in Federal Use of Open Source Software


Modernizing technology is a national priority and only possible through cloud adoption
native technology. The pandemic has accelerated this trend, especially in the private sector,
who readily embraced the idea of ​​a distributed workforce, but the government is not far behind.
As more and more entities realize the benefits of cloud-native technologies – security, reliability, cost
reduction and flexibility — it becomes more commonplace.

And it’s essential to understand that there can’t be a conversation about building and deploying
applications on native cloud technologies without also considering open source software (OSS),
since OSS components often function as the building blocks of these technologies.

In 2016, the Obama administration introduced a federal source code policy, establishing a
standard for and supporting OSS, touting the benefits of collaboration. The policy includes “a pilot project
program that requires agencies, when releasing new custom software, to release at least
20% of new custom developed code in open source for three years. »

There is strongly different levels of compliance with policy across government. Some
agencies are fully compliant with the policy, such as departments of energy and
Transportation, NASA and General Services Administration. Others are partially compliant,
and some are not compliant.

Recognizing that adopting a new approach to the implementation of technology is always accompanied by new
checkboxes and learning curves, solving some open source myths will increase
understanding as the government continues to prioritize it.

Myth #1: OSS carries more risk than proprietary software.

Historically, much of the criticism of OSS has been around the open source nature of the code and
perceived lack of support to maintain it. The assumption has been that this puts a
organization at risk, both through potential vulnerabilities and software bugs. However, each time a
the organization implements a new tool, open source or proprietary, rather than developing it
internally, it means accepting a certain level of risk.

In the past year alone, major vulnerabilities in proprietary software have had catastrophic effects
in business and government organizations. Malicious actors go to great lengths to
compromise cloud applications and systems, whether the source code is publicly available or
do not. This is why the implementation of security best practices, such as vulnerability management,
access control enforcement and network security are ideal. To secure cloud-native applications,
many agencies are moving to a DevSecOps model that focuses on integrating security practices
— such as vulnerability management — in the development and deployment phases.

There are also many tools that help with every step of the verification process, such as scanning
Docker container code and images to check for vulnerabilities. Many of these vulnerabilities
Scanners can integrate with current technology stacks and can be implemented quickly.

As the adoption of free software has accelerated in recent years, it has fostered greater collaboration and
support for open source projects. Many have large communities providing financial services support, contribute code, and help identify and resolve software vulnerabilities and bugs.

It’s not uncommon to see OSS projects running bounty programs to ensure code issues are caught and fixed quickly. In other cases, open source projects are mostly maintained by commercial entities that invest a lot of time and resources in maintaining the software just as they do for their exclusive products.

In 2016, the General Services Administration launched Code.gova program supported by the government
GitHub-style repository that allows government agencies to take advantage of OSS. the
the platform helps partner agencies and developers reduce code spend and increase software count
quality by promoting code reuse and educating and connecting the open source community.
This effort continues to have an impact on the use of free software in all sectors by encouraging its
use and foster greater innovation in government software.

Myth #2: Open source is immature.

Open source has been around longer than many realize. The concept of making available to the public
and usable code was called “open source” in 1998 when the branding process began. Often,
open source projects receive frequent contributions, thanks to the growing OSS developer
community. The more active and large an open source community is, the more mature it is
community projects will be. Similarly, the more open source is used commercially, the more
he becomes more mature. Open source projects supported by competent maintainers or
companies with a vested interest come with an expected level of quality and dedication from
Resources. Extensive deployment in the private sector has enabled these maintainers to hone
useful features and create robust tools that meet a variety of needs, and the public sector
organizations can benefit from this maturity.

Myth #3: Open source is for business, not government.

While it is true that many OSS leaders come from large companies and innovators, such
like Google or Facebook, open source is not just for the private sector. There are many benefits
for government use, and there are many government-supported open source initiatives. Free software can
be an added value for the federal government because its open nature allows it to be shared and
reused in all agencies, which is important for the collaboration as well as for the budget
considerations. Without the need for large monetary investments and with taxpayers’ money
at stake, open source is a financially responsible solution. The opportunity to work with
innovative, open-source software and tools can also be appealing to developers, which helps
with recruiting efforts in an already challenging talent market.

Because the nature of OSS is collaborative, most software is designed to integrate with other tools in
the wider ecosystem. This provides flexibility across the stack and allows agencies to build a
tool-based stack that meets very specific needs.

There are already many open source initiatives within the federal government. GSA Open Source
Politics includes GSA internal service 18F team dedicated to digital solutions as a resource that
promotes the use of open source software, helping both civilian and military agencies. And the
aforementioned Code.gov includes software purchasing and inventory tutorials

As the federal government continues to advance modernization with cloud native
technologies, open source will be the key to success. Agenciesshould overcome misconceptions in

in order to take advantage of the advantages offered by OSS. Therefore, government IT departments

embracing transformation find themselves on an innovative path to execute their missions in
the most efficient way possible.

Justin Razmic is a Federal Account Manager at Aqua Security.


Comments are closed.