Clarification on Protected Information - Tests, Testing Procedures, and Audits about open-source-logiciel-libre HOT 9 CLOSED

Hi @CalvinRodo !
I will close the issue in the whitepaper and we'll continue the work here.
Thanks!

from open-source-logiciel-libre.

@ptd-tbs @tallardyce and others. Do you know if we have any guidance on this issue? (I'll be 100% honest, I don't know yet myself but I will keep digging).

from open-source-logiciel-libre.

From Maggie OReilly in GCMessage Discussion - https://message.gccollab.ca/channel/opensourcesoftware?msg=jyXFASiJRn4DN5PZ5

The protected info ref: testing etc comes from the Access to Information Act exemptions: Testing procedures, tests and audits

22 The head of a government institution may refuse to disclose any record requested under this Act that contains information relating to testing or auditing procedures or techniques or details of specific tests to be given or audits to be conducted if the disclosure would prejudice the use or results of particular tests or audits.

from open-source-logiciel-libre.

Not off the top of my head, sorry!

from open-source-logiciel-libre.

@CalvinRodo I've been talking to my Cyber colleagues and we're on it. This document will not necessarily state what is or what is not protected in full length but actual guidance will be issued.

Now, for the purpose of this question, I quickly added elements addressing the question without necessarily answering it fully.

from open-source-logiciel-libre.

Just keeping material for discusion:
Some security considerations to keep in mind when developing software:

• Tests: Unit testing, regression testing, integration testing, stress testing, etc.
• Testing procedures: Manual inspections, Thread modeling, Pen testing, Name of devices, IP addresses, MAC addresses, etc.
• Audits: Results of tests, logs, etc.

Clarification required about elements of testing mentioned above as protected information.

• Keeping sensitive data such as credentials secure and separate from source code
• Not storing keys and other sensitive material in systems not approved for that purpose
• Doing code reviews to increase the likelihood of catching bugs, security vulnerabilities, and reduces the risk of committing sensitive data
• For the opening of existing source codes, additional actions will be needed, such as defining the scope, reviewing quality and security, and ensuring compliance specifically on intellectual property.

from open-source-logiciel-libre.

I've added an issue with my security controls i've documented, might be useful for the guide and relevant to the info you just posted #12

from open-source-logiciel-libre.

from open-source-logiciel-libre.

The Protected Information section was changed, and expanded upon in the intro :

In order for source code to potentially be deemed protected, it would have to contain any of the following information:

Information that is deemed Classified
Information obtained in confidence
Information about federal-provincial affairs
Information about international affairs and defence
Information about law enforcement and investigations
Information about the safety of individuals
Information about the economic interests of Canada
Personal information
Third party information
Advice about certain aspects of operations of government
Information about testing procedures, tests, and audits
Information that is subject to solicitor-client privilege
Information that is subject to statutory prohibitions
Certain types of information held by the Canadian Broadcasting Corporation and Atomic Energy of Canada Limited
Confidences of the Queen’s Privy Council for Canada
It is highly unlikely that developers would intentionally include such information in their source code. As a result, source code is considered unclassified unless the developer has included, inadvertently or otherwise, information that falls under the items listed above.

Where feasible, this information should be removed from the source code to increase the ability for code to be shared.

Closing this issue, feel free to open a new issue if you feel further clarification is required detailing what information you'd be looking for.

from open-source-logiciel-libre.