The U.S. government has finished and released its long-awaited open source software policy, in a move that could prove quite influential among governments around the world, while also raising a debate over matters such as security.

Under the policy, 20 percent of all newly developed custom code must be made open source for the next three years, according to the memorandum from U.S. CIO Tony Scott and chief acquisition officer Anne Rung. 

Its goals are to reduce waste by avoiding duplicate procurement of custom code; lowering the government's dependence on proprietary software acquired from ISVs; and improving the quality of government software code with the help of the public open source community's ongoing contributions.

The government is planning to launch a website for the pilot, Code.gov, which will provide a set of tools and best practices for agencies to use when implementing the policy. It will also serve as the "primary discoverability portal for custom-developed code intended for both government-wide reuse and for release as OSS," according to the policy document.

Not everyone is in favor of the policy. The influential Business Software Alliance lobbying group had argued strongly against it, on grounds that it could actually increase government spending on custom code, as well as pose a significant security risk:

The fact is that reviewing software code for security vulnerabilities is a complex and time-intensive task which requires a high degree of expertise. It is unrealistic to expect that every single line of code published by Federal agencies pursuant to the Policy will be scrutinized carefully by developers with the experience and expertise needed to identify and fix potential vulnerabilities, especially if such developers perceive that the program is unlikely to be used by a broad audience of users.

Malicious hackers, by contrast, would have strong incentives to scour such Federal source code for vulnerabilities, particularly if they believe that they can exploit such vulnerabilities before they are identified and fixed. Accordingly, there is a real risk that implementation of the proposed Source Code Policy, as drafted, would increase the vulnerability of Federal IT systems to security attacks.

It should be noted that federal agencies involved with national security are exempted from the policy. And the BSA's perspective needs to be seen in the right light; if the U.S. government ends up spending less money on new software thanks to effectively reusing custom code, the group's members stand to lose out. 

Still, when it comes to security under the OSS policy, does the BSA have a point?

There's certainly a discussion to be had, says Constellation Research VP and principal analyst Steve Wilson.

"From a security perspective, despite the lofty claims made about 'sunlight (openness) being the best disinfectant,' in practice open source software is not clearly more secure than closed," he says. "I am aware of studies that purport to demonstrate OSS is better but they're few and far between, and unconvincing."

"I am a strong proponent of code inspection; weak or absent code inspection let through catastrophic bugs like the Gotofail problem in Apple software," he adds. "And it does not follow that open source is automatically reviewed. Look at the Heartbleed bug. That was the sort of problem which coders trained in application security should be constantly on the lookout for. But even the guy who was supposed to review the Heartbleed software before it was released failed to spot it. It took nearly two years of being out in the open for anyone to report the Heartbleed error."

"To be sure, I do not base my cautions on a sample size of one," Wilson adds. "I only point out that openeness does not lead automatically to review and improved quality. So we cannot afford to take OSS for granted. Like all software it needs to follow a carefully planned, regimented, documented and version-controlled testing program. Including code inspection. Code reviews need to be managed and recorded, so we know what was reviewed, and by whom."

One thing is for sure: Presuming the new OSS policy isn't overturned by the incoming administration, given the U.S. government's sheer size the next few years will certainly provide an ample test bed for determining whether it delivers benefits that outweigh any risks.

24/7 Access to Constellation Insights
If you’d like unrestricted access to Constellation Insights, consider joining the Constellation Executive Network for analyst advice and analyses that you can use.