TrustOps: Continuously Building Trustworthy Software

TL;DR

TrustOps proposes a comprehensive approach to continuously gather verifiable evidence throughout the software development and deployment lifecycle to enhance trustworthiness and transparency.

Contribution

It introduces TrustOps, a novel framework that combines existing tools and principles to enable continuous evidence collection for trustworthy software.

Findings

Provides a set of core principles for TrustOps implementation.

Outlines a roadmap for integrating evidence collection in all software lifecycle phases.

Highlights the importance of verifiable evidence for trust in software services.

Abstract

Software services play a crucial role in daily life, with automated actions determining access to resources and information. Trusting service providers to perform these actions fairly and accurately is essential, yet challenging for users to verify. Even with publicly available codebases, the rapid pace of development and the complexity of modern deployments hinder the understanding and evaluation of service actions, including for experts. Hence, current trust models rely heavily on the assumption that service providers follow best practices and adhere to laws and regulations, which is increasingly impractical and risky, leading to undetected flaws and data leaks. In this paper, we argue that gathering verifiable evidence during software development and operations is needed for creating a new trust model. Therefore, we present TrustOps, an approach for continuously collecting verifiable evidence in all phases of the software life cycle, relying on and combining already existing tools and trust-enhancing technologies to do so. For this, we introduce the adaptable core principles of TrustOps and provide a roadmap for future research and development.