BSI and ZenDiS: More security for digital infrastructures with openCode
Software supply chains in public administration are to be automatically secured via the open source platform openCode. This is what BSI and ZenDiS are planning.
(Image: Superstar/Shutterstock.com)
- Manuel Masiero
The rising number of complex cyber attacks, increasing geopolitical tensions and dependence on a few technology providers are jeopardizing the security and stability of digital infrastructures in public administration. This is the conclusion reached by the German Federal Office for Information Security (BSI) and the Center for Digital Sovereignty in Public Administration (ZenDiS).
In a joint strategy paper, the BSI and ZenDiS propose countermeasures to achieve a higher level of security for software products. Open source is considered the basis for digital sovereignty.
openCode as a security platform
The openCode platform, launched by the BSI and others, is a central component of the new security concept. It is intended to detect critical vulnerabilities automatically in the software supply chain through binding security standards and standardized testing procedures. At the same time, openCode aims to make dependencies transparent and create traceable proof of origin for critical software components. Until now, it has been almost impossible for individual providers or organizations to implement both of these measures. Technically, openCode operates its GitLab instance and provides container images.
Videos by heise
Through openCode, open source software is set to become a key element of a resilient digital infrastructure in Germany and enable security organizations to respond to threats preventively rather than just reactively. Incidents such as the SolarWinds cyberattack, which compromised the systems of numerous government agencies and companies in 2020, should no longer be able to happen again.
The BSI and ZenDis are proposing the following steps for implementation based on openCode, which will begin this year: Creation of a secure system for software testing and production with a verification process, sovereign container registry with uniform standards, resilient distribution infrastructure for software as well as common quality criteria and testing standards. If everything goes according to plan, the platform should be ready for launch in 2026.
(mma)
