On April 10, 2024, the Privacy Protection Authority (PPA) published guidelines for managing information security risks when using open-source code in database systems. In particular, the PPA stated that the guidelines lay down recommendations and instructions on how to use open-source code and integrate it into the system in a way that preserves privacy, according to the Protection of Privacy Law, 5741-1981 (PPL) and its regulations. 

More specifically, the PPA highlighted certain information security risks of using open-source code such as:

• lack of knowledge of the components;
• lack of adequate maintenance and support; 
• a known weakness that may allow uncontrolled access to databases;
• unknown zero-day vulnerability; and
• a backdoor allowing a malicious actor to remotely execute code.

The PPA recommended implementing privacy by design and preparing and taking preliminary actions before incorporating open-source code, such as publishing a database definition document that includes a reference to the main risks arising from the use of open-source and how to deal with them, etc. Additionally, running a training program and having a clear division of duties between the parties in charge of information security in the database.

You can read the press release here, the guidelines here, and the appendix to the guidelines here, all only available in Hebrew.