GitHub: Secure enough for government work, mostly
- By Derek B. Johnson
- Feb 24, 2020
When the U.S. Citizenship and Immigration Services needed to process a change request for a router that shared an enterprise environment with the Secret Service and Transportation Security Administration, Deputy CIO Yemi Oshinnaiye wanted a quick way for his development, infrastructure and security teams to keep tabs on each other's work. He suggested they use GitHub, an open-source software development platform.
Agency skeptics, however, were reluctant to try the platform, saying the public tool was not secure enough.
"Really? It's a public tool with people that work on it [all the time],” Oshinnaiye replied. It has more security than the things that we're using internally."
Some developers suspicious of open-source software point to examples like the Heartbleed bug, which exploited OpenSSL's encryption library, as an example of insecurity in many public tools. A recent study by the Linux Foundation found that 80% to 90% of any modern piece of software is composed of open-source code. This same proliferation and reuse means there is no central authority to conduct quality control or keep track of when code is altered, potentially introducing new vulnerabilities.
Oshinnaiye told the audience at a Feb. 20 ACT-IAC event that It took time to convince his colleagues they weren't putting their projects at risk by leveraging what was already publicly available on the internet.
"It was a fight. It wasn't easy, I think it took about a year and some change, but then we said we're starting to use GitHub," he said. "Now I have a repository where I'm going to put scripts for infrastructure, scripts for development and scripts for security in one place. Now that's revolutionary. It's very simple, but it's revolutionary."
Agencies like the Office of Management and Budget believe federal agencies should not only use open-source code where possible, but also contribute to it when they can. Since 2016, OMB has required civilian agencies to release up to 20% of their custom code to Code.gov, where anyone can use it.
"We're open source for the way we develop, and the Smithsonian actually has a GitHub account … so if your enterprise adopts it, that's like the No. 1 great thing," said Ravyn Manuel, a senior application developer and DevOps engineer for the Smithsonian National Museum of African American History and Culture. "And then for the tools, open source is free, so it's really cost effective."
"I really strongly believe in [open source], and I hope that everybody here posts their code when it's possible," said William Daus, branch chief for National Science Foundation's research directorate. "I know that sometimes it's not, but it is good to share and reuse."
The Department of Defense has not issued an open-source policy, and CIO Dana Deasy told auditors last year that most of DOD's custom software is "sensitive for national security" and made for weapons systems like the F-35 and the F-22. Deasy said it's "unclear that 20% of the Department's custom code is releasable at all."
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.