Digital Public Goods (DPGs) are open-source software, data, AI models, standards, and other open content that adhere to privacy and other applicable laws and best practices.
The DPG library is aimed at environments that have limited resources. In such countries, proprietary solutions might often be too expensive to acquire and restrictive, sometimes resulting in a vendor lock-in situation. Working with the DPG platform provided a fantastic opportunity to do digital good, a key aspect of the Gofore ethos.
– Like many software projects these days, the DPG projects often feature various open-source libraries and solutions that may pose security issues and vulnerabilities if not utilised and verified properly, Gofore’s information security consultant Niall O’Donoghue illustrates.
Software projects are nowadays not so much about writing new code but combining and linking open-source libraries into a customised pipeline. The security levels of these libraries may vary wildly, which is why it’s important to document the libraries’ dependencies thoroughly in each project.
– A software bill of materials is crucial for risk management. If you don’t really know where your dependencies are coming from and who’s developing them, there is an increased chance of outdated and even malicious libraries sneaking into the finished solution. This highlights the importance of a trustworthy and reputable framework. Fixing such problems in the deployment stage is expensive, time-consuming, and might not even be possible, O’Donoghue highlights.