Yes, you really can.
We’ve all seen that security through obscurity doesn’t work. It leaves us in the dark on how our data is stored, protected and used. You shouldn’t have to take our word that our systems are secure, or that we fix our vulnerabilities - you should be able to see it in our designs, our code, our build and our operations. Being open invites trust - you should be able to trust us not because we tell you that you should, or because we’re the only supplier, but because we’ve earned it.
Our mantra is ‘simpler, clearer, faster and more humane public services’, and that means considering the needs of our users above all else. Our approach to security is no different. By being open and transparent our users can see what our systems are doing, which is a key part of treating our users humanely.
To showcase the security of our designs, our code, and our operations, we’ve implemented a few practices:
Our code, where possible, will be published in public Github repositories and can be downloaded by anyone. The only exception is when we’re prevented by contract or law, and we’ll generally try to avoid those situations if we can Our designs will be published under the same principle. Where we go to the trouble of certifying or security testing our software or systems, we’ll publish the reports in as much detail as possible.
We think the good guys outweigh the bad
A question you might be asking is: Why all this openness? Doesn’t it give the bad guys an advantage? We think it it gives the good guys a bigger one. Any user, or indeed any organisation, can look over the code for weaknesses. For example, we’re looking at using the codebase from GOV.UK as part of the basis for one of the DTO’s work programs. We can look over the code, and if we find a bug, we can either report it or even fix it directly. If GOV.UK was closed, we’d pay to use the codebase and they may not ever find certain vulnerabilities (which doesn’t mean the bad guys haven’t found them), or never fix them if they do.
We know we’ve got some really smart people here, but we also know that we don’t have a monopoly on them. So we’d love you to take our code and look at it, use it, analyse it, fork it, or even contribute to it. If you find an issue like a bug or something you’d like changed, let us know by lodging a ticket against the code in Github. Then we can prioritise, find and fix it - quickly.
We’re building confidence and trust in our systems by being as open and honest with our users as possible. You’ll be able to see that we’re implementing security right through our designs and code, you’ll be able to understand why we get gold certification stamps for security from our certification partners, and you’ll appreciate that your data is looked after by us because we operate our systems with the same transparency principles.
We have smart people developing for us, but you’re smart too, so we’d love you to join us in making Australian services great. We also want other Australian Government organisations to be as open as us - you’re more than welcome to contribute to our software, or host your own in Github inside our organisation. Contact me directly if you’d like to do that.