Digital Public Goods Alliance

The importance of data security in open source solutions is imperative for building an equal digital world

The Digital Public Goods Alliance (DPGA) is a UN initiative for deploying open-source tech such as digital health and infrastructure products that advance sustainable development goals in low- and middle-income countries.

Gofore improved the platform’s security and architecture while providing cybersecurity and consulting services. Gofore’s work focused on documenting privacy and security best practices, plus developing an approach for identifying and addressing vulnerabilities in open-source projects that DPGs are built on.


How do you ensure secure and common-good open-source software?

Digital Public Goods (DPGs) are open-source software, data, AI models, standards, and other open content that adhere to privacy and other applicable laws and best practices.

The DPG library is aimed at environments that have limited resources. In such countries, proprietary solutions might often be too expensive to acquire and restrictive, sometimes resulting in a vendor lock-in situation. Working with the DPG platform provided a fantastic opportunity to do digital good, a key aspect of the Gofore ethos.

– Like many software projects these days, the DPG projects often feature various open-source libraries and solutions that may pose security issues and vulnerabilities if not utilised and verified properly, Gofore’s information security consultant Niall O’Donoghue illustrates.

Software projects are nowadays not so much about writing new code but combining and linking open-source libraries into a customised pipeline. The security levels of these libraries may vary wildly, which is why it’s important to document the libraries’ dependencies thoroughly in each project.

– A software bill of materials is crucial for risk management. If you don’t really know where your dependencies are coming from and who’s developing them, there is an increased chance of outdated and even malicious libraries sneaking into the finished solution. This highlights the importance of a trustworthy and reputable framework. Fixing such problems in the deployment stage is expensive, time-consuming, and might not even be possible, O’Donoghue highlights.


Improving the operational model through best practices and technical security assessment

Gofore’s work focused on improving the overall security and privacy level of the DGPA platform.

– A lot of great principles and standards were already in place, but we discovered that a self-review process for evaluating security and privacy was missing. We devised a questionnaire that helps developers define and improve the level of security in their DPG projects. It touches on themes such as data protection planning, privacy planning and risk management, O’Donoghue says.

Gofore also refined and supplemented DPGA’s core tenets in the areas of data ownership, data classification and impact assessment.

In addition to consulting and best practice implementation, Gofore also performed a technical software penetration test on OpenCRVS, a key DPG project providing accessible digital civil registration. OpenCRVS developers were extremely pleased with the results.


Improved capabilities for supporting sustainable development through digitalisation

As a result of the development and consulting project, security and privacy planning now has a more pronounced emphasis in DPG software projects.

– The exposure of personal data can be a life-or-death issue in countries where there are severe instabilities of various kinds. Ensuring data confidentiality, integrity, and availability by planning for privacy and data protection should be a common practice from the early stages of every software project, O’Donoghue says.

Project highlights


How to ensure safe and public benefits open source software?


To fit operating models with best practices and through a technical safety assessment


Ensure better conditions to support sustainable development in developing countries

The focus of the Gofore team was to ensure that the DPG owners get real value and learn from the knowledge experiments. The academic rigor of Gofore’s work is always aided by practical implications and on-ground impact that leads to outcomes.

Prajakta Kuwalekar, Product manager, DGPA


The skills & competences utilised in the project

  • Cybersecurity
  • Agile Transformation & Lean
  • Renewal

Get in touch!

More success stories

Back to top