GoKawiilStatement
We disagree with the NHS technical leadership’s decision to hide the source code of all of their repositories.
Making code open source requires more work than keeping it closed. That hard work is the point.
It requires a higher bar of quality. It requires processes to proactively find, fix, and monitor for vulnerabilities. It requires identifying risk, and putting barriers in place to contain any damage when things go wrong.
But it works like the human immune system: being exposed to threats hardens the attack surface.
Closed source allows that work to be skipped. It substitutes obscurity for depth, and obscurity buys you precious little when a sufficiently motivated attacker is involved.
! Warning We call on NHS England to withdraw the SDLC-8 red line and reaffirm its commitment to the NHS Service Standard Principle 12: “Make new source code open.”
If you agree, sign your name using the form below. Submissions are reviewed by hand and you’ll appear on the page once approved.