Bulgaria Follows USA In Supporting Open Source

Bulgaria follows USA in supporting open source

Last March, the White House released a draft policy for requiring federal agencies to share software, with the possibility of requiring federally-funded code to be released as open source. Last month, the Bulgarian government followed suit, and raised the ante by including a bug bounty program in the legislation. Add to this efforts in the UK, India and New Zealand and you can see a trend starting.

Bulgarian Government Mandate

There are obvious security concerns around releasing software used by governments for critical activities. I, for one, don’t really want the code for critical infrastructure and defense under a blanket open source mandate, and Bulgaria has exempted their intelligence agencies from the mandate. Further, they need to be mindful of systems managing the personal information of employees and taxpayers. However, it seems obvious that much of the software managing non-critical data could be useful, in whole or in part, for use by the private sector. If managed properly, the legislation makes sense for a number of reasons.

More open source

Development teams are embracing open source for a good reason. It accelerates development while lowering (not eliminating) costs. The more open source available, the more we all benefit. Assuming the code covered under these policies has genuine utility, it will attract attention from the open source community. Independent developers will build enhancements that will be available to both public and private enterprises.

More eyes

I’m not arguing for the “many eyes make all bugs shallow” in general. Security eyes are undoubtedly useful, however, and the source of virtually all open source vulnerability disclosures in NVD. Bulgaria has addressed this, however, with their bug bounty program. By paying security researchers (and others) for bugs, they are encouraging responsible disclosure.

More transparency 

Understanding what is being “custom built” can shed light on inside deals where commercial solutions may already exist. Bulgaria is taking this a step further in that all contracts for custom software will be available online for public review.

More efficiency

Taxpayer funds were used to create the code, and making that code available to other federal agencies can reduce waste. Assuming the software meets the needs of several agencies, maintaining a single code base should simplify code maintenance as well.

More innovation

NASA pioneered efforts to make public technologies they developed in the space program. Technologies such as anti-icing systems, Infrared Ear Thermometers, firefighting gear, and memory foam mattresses have resulted from shared technology. In a world where software integrates into almost everything, access to the government’s building blocks should spur more advances.

I’ll reiterate that these programs must be managed carefully from a security standpoint. But overall, open sourcing software from some of the largest consumers of custom code can help us all.

The State of Open Source Security

Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


Commercial Application Security: 6 Facts You Didn't Know

| May 4, 2017

Many people know Black Duck from our security and software license compliance business. However, we also have a very strong On-Demand business. Our On-Demand business performs one-time audits of software, typically as part of due diligence in an M&A transaction. In these engagements, the entities

| MORE >

Open Web Application Security Project Updated Top 10

| May 3, 2017

Late last month, the Open Web Application Security Project (OWASP) published a release candidate for the new OWASP Top 10 (T10).  I want to take a look at what has remained and what has changed since the last version. First of all, hats off to OWASP. They do a great job with their many projects

| MORE >

Vulnerability Remediation – You Only Have 4 Options

| Mar 29, 2017

In my previous post, I wrote about a simple process for triaging vulnerabilities across applications. Once you have the issues prioritized, the vulnerability remediation process is pretty straightforward. You don’t have a lot of options; either remediate the issue, ignore it, or apply other

| MORE >