GSA’s Integrated Award Environment embraces GitHub

GitHub: Secure enough for government work, mostly

When the U.S. Citizenship and Immigration Services needed to process a change request for a router that shared an enterprise environment with the Secret Service and Transportation Security Administration, Deputy CIO Yemi Oshinnaiye wanted a quick way for his development, infrastructure and security teams to keep tabs on each other's work. He suggested they use GitHub, an open-source software development platform.

Agency skeptics, however, were reluctant to try the platform, saying the public tool was not secure enough.

"Really? It's a public tool with people that work on it [all the time],” Oshinnaiye replied. It has more security than the things that we're using internally."

Some developers suspicious of open-source software point to examples like the Heartbleed bug, which exploited OpenSSL's encryption library, as an example of insecurity in many public tools. A recent study by the Linux Foundation found that 80% to 90% of any modern piece of software is composed of open-source code. This same proliferation and reuse means there is no central authority to conduct quality control or keep track of when code is altered, potentially introducing new vulnerabilities.

Oshinnaiye told the audience at a Feb. 20 ACT-IAC event that It took time to convince his colleagues they weren't putting their projects at risk by leveraging what was already publicly available on the internet.

"It was a fight. It wasn't easy, I think it took about a year and some change, but then we said we're starting to use GitHub," he said. "Now I have a repository where I'm going to put scripts for infrastructure, scripts for development and scripts for security in one place. Now that's revolutionary. It's very simple, but it's revolutionary."

Agencies like the Office of Management and Budget believe federal agencies should not only use open-source code where possible, but also contribute to it when they can. Since 2016, OMB has required civilian agencies to release up to 20% of their custom code to, where anyone can use it.

"We're open source for the way we develop, and the Smithsonian actually has a GitHub account … so if your enterprise adopts it, that's like the No. 1 great thing," said Ravyn Manuel, a senior application developer and DevOps engineer for the Smithsonian National Museum of African American History and Culture. "And then for the tools, open source is free, so it's really cost effective."

"I really strongly believe in [open source], and I hope that everybody here posts their code when it's possible," said William Daus, branch chief for National Science Foundation's research directorate. "I know that sometimes it's not, but it is good to share and reuse."

The Department of Defense has not issued an open-source policy, and CIO Dana Deasy told auditors last year that most of DOD's custom software is "sensitive for national security" and made for weapons systems like the F-35 and the F-22. Deasy said it's "unclear that 20% of the Department's custom code is releasable at all."

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected