Strategic position of the BSI

The role of the Federal Office for Information Security (BSI) is to promote IT security. This means improving security when using the wide range of operating systems and applications. Since it is easier and quicker to attack and inflict more damage on software monocultures, the federal government's IT strategy aims to increase the diversity of software and reduce the number of monocultures. A wider selection of software also leads to greater manufacturer independence.

The use of FLOSS is associated with technical and strategic advantages brought to bear by the freedoms it provides: deploy, learn, expand, distribute. When using FLOSS, the following technical aspects are particularly important to the BSI:

1. Complete control to adapt software security techniques irrespective of the manufacturer's business model.
2. It should always be possible to test the software for vulnerabilities.
3. The ability to eliminate software vulnerabilities independent of the manufacturer.

Within the BSI, FLOSS is used in a wide variety of areas, for example in the processing of logging data, in the Computer Emergency Response Team (CERT) and in penetration tests.

However, the BSI is not just a user, it also contributes to the development of FLOSS. For example, this includes the development of SINA and Gpg4win/Gpg4KDE. SINA stands for Secure Inter-Network Architecture and is used, for example, to secure communication between German embassies. The free software Gpg4win and Gpg4KDE enable secure e-mail communication. In the development of SINA, it was the freedoms of FLOSS that paved the way: SINA is based on the Linux kernel, which was expanded into a highly secure system by minimising and adapting it. If it had not been possible to use the existing software as a basis, the development of such an application would not have been economically viable.

In addition to the technical aspects, the BSI also considers strategic factors to be decisive in the use of FLOSS. These include software diversity, but also interoperability. To ensure that software components communicate with each other and with other systems, it is essential to use open standards and interfaces. Therefore, standards must be documented and available for use in an open and freely accessible form.

Conclusion: Adaptability and software diversity together with the use of open standards provide a basis for IT security. However, security is a process. In order to maintain IT security, those responsible must have a thorough knowledge of the system, maintain it regularly and quickly eliminate vulnerabilities. The use of FLOSS per se does not guarantee a secure system. It does, however, offer significant strategic advantages in this process.

Information on the BSI FLOSS topics

• Open Vulnerability Assessment System (OpenVAS)
• Gpg4win -- Secure e-mail and file encryption
• mapWOC (massive automated passive Web Observation Center)