3. Application Architecture
Use Open Standards and Solutions by Default
- Where possible, use open source standards, and open source software first
- If an open source option is not available or does not meet user needs, favour platform-agnostic COTS over proprietary COTS, avoiding technology dependency, allowing for substitutability and interoperability
- If a custom-built application is the appropriate option, by default any source code written by the government must be released in an open format via Government of Canada website and services designated by the Treasury Board of Canada Secretariat
- All open source code must be released under an appropriate open source software license
- Expose public data to implement Open Data and Open Information initiatives
Maximize Reuse
- Leverage and reuse existing solutions, components, and processes
- Select enterprise and cluster solutions over department-specific solutions
- Achieve simplification by minimizing duplication of components and adhering to relevant standards
- Inform the GC EARB about departmental investments and innovations
- Share code publicly when appropriate, and when not, share within the Government of Canada
Enable Interoperability
- Expose all functionality as services
- Use microservices built around business capabilities. Scope each service to a single purpose
- Run each IT service in its own process and have it communicate with other services through a well-defined interface, such as a HTTPS-based application programming interface (API)
- Run applications in containers
- Leverage the GC Digital Exchange Platform for components such as the API Store, Messaging, and the GC Service Bus
Develop with Security in mind
- Applications that store, process, handle, or have network access to sensitive information should be developed with security in mind from the start, and should be audited and assessed before use
- Ensure sensitive data is protected appropriately when stored and transmitted
- Minimise the opportunity for accidental data leakage across application boundaries
- Ensure only authorised parties can access sensitive information
- Restrict access to sensitive data to those applications designed to handle such material in a secure manner
|