This is strong, pragmatic and mature guidance – “risk is driven by weaknesses and remediation capability, not code visibility”.
It rejects security by obscurity where many organisations withdraw and regress when new threats emerge, in this case with AI, highlighting correctly that AI compresses discovery-to-exploit time.
The guidance seeks to resist closing code which is strategically important. Without openness, there would be a loss of cross-government reuse; reduced security transparency and scrutiny; and, an increase in long-term technical debt and cost.
A major element of the guidance is where it advises to “Assume shorter discovery-to-exploit windows… strengthen remediation capability.” i.e. real control, not repo visibility.
It defines a minimum operational security bar that is effectively a lightweight secure SDLC baseline, closely aligned to NCSC Secure by Design, OWASP ASVS Level 1-2 hygeine and ISO 27001 expectations.
That said, it assumes a level of maturity many organisations do not have. The model works if organisations can patch quickly, operate ci/cd securely, maintain asset ownership and respond to vulnerability disclosures. In practice, Open-by-default without this maturity can amplify the exposure window, though the guidance itself notes attackers already find weaknesses through other means.
The guidance correctly suggests that the same tools used to attack can be used in defence. However, in many sectors, attackers adopt frontier AI tooling faster than defensive teams can operationalise it. Where that lag widens, the attacker advantage grows, and open code accelerates analysis in that window.
In summary, this guidance is the right direction, but only for organisations that can patch rapidly, detect continuously and respond to disclosures. If you cannot do these three things, openness amplifies risk. If you can, open-by-default is stronger than obscurity.
The real exposure is unpatched systems, weak configurations, poor ownership and slow response. Not code visibility. Attackers already find weaknesses, the question is whether your team finds them first. To stay open, you must operate like a modern software organisation.
Mark Patton 