https://gdstechnology.blog.gov.uk/2017/10/10/open-source-security-meetup-7-things-we-learned-from-the-cross-government-event/

Open Source security meetup: 7 things we learned from the cross-government event

Technical Writer on Standards and Assurance, Khidr Suleman attended the cross-government Open Source meetup in London organised by GDS. Here’s a recap of the day’s events...

The second Open Source meetup took place on Tuesday 26 September. Turnout was great with over 100 attendees from 30 government organisations. The theme of the event was security considerations around coding in the open and open source. Speakers aimed to address the misconception that coding in the open is less secure than keeping everything closed.

Subject matter experts from across government gave talks about open source and security and there were also unconference style breakout sessions. So what did we learn from the event?

1. New guidance for coding in the open

Kicking off proceedings was the event host, GDS Open Source Lead, Anna Shipman. Anna gave attendees some best practice tips for coding in the open securely, referencing 2 new pieces of guidance that have been released by GDS. These detail the subsets of the code departments should keep closed and how to code in the open securely:

2. Coding in the open is great for international relations

The government National Technology Advisor Liam Maxwell, talked about the non-technical advantages of coding in the open and how the UK is a leader in the field.

Liam said that the nature of the public sector means that sharing code is actually an advantage. Governments are not competing with each other and they can work together to make public services better. When it comes to providing driving licence services, for example, the UK can work with a country like Norway not just to share code but combine methodologies and standards to improve the experience for citizens across both countries.

3. Start small when shifting to Open Source and get stakeholder buy-in

Jason Paige, Head of Software Engineering at HM Courts & Tribunals Service (HMCTS) gave an insight into his department’s journey to fulfilling Point 8 of the Service Manual by making all new source code open.

Over the last year, the HMCTS has moved from hosting code in-house to using GitHub Enterprise and has also been migrating to a PaaS solution. There were plenty of challenges along the way, including:  

  • overcoming people’s fear of change
  • dealing with security issues when opening up code
  • explaining the benefits of open source to less technical stakeholders

To help solve their issues, HMCTS looked for guidance from other departments and organisations. A useful resource that helped HMCTS save time was HMRC’s coding in the open manual.

Jason engaged with less technical stakeholders, taking a risk-based approach to help them understand why working in the open was a positive step. The team started off with small low-risk proof-of-concepts. This helped to show stakeholders the advantages of working in the open and allowed bigger projects to be greenlit.

To-date, the HMCTS Github page has over 30 repos and the plan is to get to a point where projects are fully open sourced.

 4. Security guidance must be practical so users follow it

The NCSC’s approach to security considers how people use devices and systems in real-life. This allows the NCSC to issue guidance that benefits users.

Helen the NCSC Engineering Processes and Assurance Lead, told attendees that we need to move away from simply asking if we should ‘code in the open or close the code’. The focus should instead be on ‘how we can make coding in the open more secure’. The landscape is a spectrum rather than a Venn diagram and security should take a risk-managed, holistic approach.

There are many benefits to coding in the open including collaboration and breaking down the boundaries between security and delivery, Helen continued. But there are also risks associated with open code that need to be identified and addressed. The NCSC and GDS need to help developers understand and manage these risks.

The NCSC is currently leading ‘Developer Centred Security’ research to understand how to support developers so they can produce more secure code within the constraints and pressures of the ‘real world’. The NCSC is also funding research being led by The Open University. This research aims to find out what motivates developers to adopt and integrate secure coding practices. The findings will help to shape practical development guidance for developers working across government.

5. Open code is not more or less secure than closed code

Following the talks, a panel of security and open source experts took questions from the audience. Previous speakers Anna and Helen were on the panel, as well as Ahana Datta, Head of Technical Security at MOJ (and former ethical hacker!) and Jenny Duckett, Senior Developer on the GDS security engineering team.

One of the attendees asked about security best practice. The panelists agreed that there will be challenges regardless of whether code is opened or closed. To mitigate risks you should:

  • write clean code
  • make use of peer reviews
  • carry out appropriate levels of testing
  • develop a culture where your team “thinks like an attacker”

L-R Anna Shipman, Ahana Datta, Jenny Duckett; the fourth panel member, Helen, is out of shot

6. Departments want help to make projects open and secure

Rounding off the day were 9 breakout sessions. The topics were suggested by attendees on the day in typical unconference fashion. Some of the most popular sessions were:

  • how to make closed things open
  • what tools help secure development
  • what a secure build pipeline looks like

The organisers plan to look over the session notes and work out what themes could be covered in future meetups.

7. More open source events are needed

Feedback from the event was overwhelmingly positive. Attendees enjoyed the day and found it useful for their work, with 93% saying they’d recommend a future event to a colleague. Lots of feedback talked about how useful it was to meet colleagues doing the same thing across government, and about helpful tools and tips they learned.

Suggestions for improvement included having more time for open space sessions and making the event longer.

The consensus was that more events would be popular. If you would like to help out or host one in your department or government organisation, please get in touch.

Stay tuned for more information on the next meetup.

Stay up to date with all the latest posts by signing up to alerts from Government Technology blog, join the cross-government conversation on Slack or follow Khidr on Twitter.

Leave a comment

We only ask for your email address so we know you're a real person