Comments (9)
Hi @CalvinRodo !
I will close the issue in the whitepaper and we'll continue the work here.
Thanks!
from open-source-logiciel-libre.
@ptd-tbs @tallardyce and others. Do you know if we have any guidance on this issue? (I'll be 100% honest, I don't know yet myself but I will keep digging).
from open-source-logiciel-libre.
From Maggie OReilly in GCMessage Discussion - https://message.gccollab.ca/channel/opensourcesoftware?msg=jyXFASiJRn4DN5PZ5
The protected info ref: testing etc comes from the Access to Information Act exemptions: Testing procedures, tests and audits
22 The head of a government institution may refuse to disclose any record requested under this Act that contains information relating to testing or auditing procedures or techniques or details of specific tests to be given or audits to be conducted if the disclosure would prejudice the use or results of particular tests or audits.
from open-source-logiciel-libre.
Not off the top of my head, sorry!
from open-source-logiciel-libre.
@CalvinRodo I've been talking to my Cyber colleagues and we're on it. This document will not necessarily state what is or what is not protected in full length but actual guidance will be issued.
Now, for the purpose of this question, I quickly added elements addressing the question without necessarily answering it fully.
from open-source-logiciel-libre.
Just keeping material for discusion:
Some security considerations to keep in mind when developing software:
- Tests: Unit testing, regression testing, integration testing, stress testing, etc.
- Testing procedures: Manual inspections, Thread modeling, Pen testing, Name of devices, IP addresses, MAC addresses, etc.
- Audits: Results of tests, logs, etc.
Clarification required about elements of testing mentioned above as protected information.
- Keeping sensitive data such as credentials secure and separate from source code
- Not storing keys and other sensitive material in systems not approved for that purpose
- Doing code reviews to increase the likelihood of catching bugs, security vulnerabilities, and reduces the risk of committing sensitive data
- For the opening of existing source codes, additional actions will be needed, such as defining the scope, reviewing quality and security, and ensuring compliance specifically on intellectual property.
from open-source-logiciel-libre.
I've added an issue with my security controls i've documented, might be useful for the guide and relevant to the info you just posted #12
from open-source-logiciel-libre.
from open-source-logiciel-libre.
The Protected Information section was changed, and expanded upon in the intro :
In order for source code to potentially be deemed protected, it would have to contain any of the following information:
Information that is deemed Classified
Information obtained in confidence
Information about federal-provincial affairs
Information about international affairs and defence
Information about law enforcement and investigations
Information about the safety of individuals
Information about the economic interests of Canada
Personal information
Third party information
Advice about certain aspects of operations of government
Information about testing procedures, tests, and audits
Information that is subject to solicitor-client privilege
Information that is subject to statutory prohibitions
Certain types of information held by the Canadian Broadcasting Corporation and Atomic Energy of Canada Limited
Confidences of the Queen’s Privy Council for Canada
It is highly unlikely that developers would intentionally include such information in their source code. As a result, source code is considered unclassified unless the developer has included, inadvertently or otherwise, information that falls under the items listed above.
Where feasible, this information should be removed from the source code to increase the ability for code to be shared.
Closing this issue, feel free to open a new issue if you feel further clarification is required detailing what information you'd be looking for.
from open-source-logiciel-libre.
Related Issues (20)
- Link from pages to the repository HOT 1
- Security HOT 9
- Guidance on engaging the community for contributions HOT 1
- Additional publishing open source guidance HOT 4
- Ensuring that open source software be actively.... HOT 4
- Are we being too specific? HOT 4
- IP still belongs to the Crown HOT 14
- Why reciprocal license restrictions in "Guide for Using Open Source Software"? HOT 10
- Link to actual TBS definition of "open standard". HOT 1
- GPL version and license notices needs improvement HOT 10
- The "open core" section has problems and is not sufficient. HOT 2
- Directive on Automated Decision-Making; Releasing source code. HOT 4
- Guide to apply specific licence needs a bit more details HOT 2
- Considerations for Open Source Software Evaluation HOT 2
- Modeling the OSS Standard in Archimate
- Change "Prior to Starting" to "Open Source Software Acquisition" HOT 1
- Guide for Open Source Software Acquisition and Modeling
- Add redirects for renamed files
- Add new files to navigation
- Change site theme from GCWeb
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from open-source-logiciel-libre.