Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

TrustOps: Continuously Building Trustworthy Software

Eduardo Brito, Fernando Castillo, Pille Pullonen-Raudvere, Sebastian Werner

TL;DR

TrustOps tackles the problem of verifying trustworthy software actions in complex, rapidly evolving systems by proposing an evidence-based paradigm that continuously collects verifiable data across the full software life cycle. It defines a lifecycle of evidence—raw to authenticated to attested to actioned—enabled by cryptographic and privacy-preserving technologies (e.g., TEEs, ZKPs) and integrated with DevOps practices. The paper outlines core principles, explicit phase-by-phase evidence strategies, practical application scenarios (open-source, service ecosystems, organizational trust), and a roadmap highlighting technical and adoption challenges. The approach aims to improve auditability, compliance, and resilience to flaws or supply-chain attacks, with broad implications for trust in software across domains.

Abstract

Software services play a crucial role in daily life, with automated actions determining access to resources and information. Trusting service providers to perform these actions fairly and accurately is essential, yet challenging for users to verify. Even with publicly available codebases, the rapid pace of development and the complexity of modern deployments hinder the understanding and evaluation of service actions, including for experts. Hence, current trust models rely heavily on the assumption that service providers follow best practices and adhere to laws and regulations, which is increasingly impractical and risky, leading to undetected flaws and data leaks. In this paper, we argue that gathering verifiable evidence during software development and operations is needed for creating a new trust model. Therefore, we present TrustOps, an approach for continuously collecting verifiable evidence in all phases of the software life cycle, relying on and combining already existing tools and trust-enhancing technologies to do so. For this, we introduce the adaptable core principles of TrustOps and provide a roadmap for future research and development.

TrustOps: Continuously Building Trustworthy Software

TL;DR

TrustOps tackles the problem of verifying trustworthy software actions in complex, rapidly evolving systems by proposing an evidence-based paradigm that continuously collects verifiable data across the full software life cycle. It defines a lifecycle of evidence—raw to authenticated to attested to actioned—enabled by cryptographic and privacy-preserving technologies (e.g., TEEs, ZKPs) and integrated with DevOps practices. The paper outlines core principles, explicit phase-by-phase evidence strategies, practical application scenarios (open-source, service ecosystems, organizational trust), and a roadmap highlighting technical and adoption challenges. The approach aims to improve auditability, compliance, and resilience to flaws or supply-chain attacks, with broad implications for trust in software across domains.

Abstract

Software services play a crucial role in daily life, with automated actions determining access to resources and information. Trusting service providers to perform these actions fairly and accurately is essential, yet challenging for users to verify. Even with publicly available codebases, the rapid pace of development and the complexity of modern deployments hinder the understanding and evaluation of service actions, including for experts. Hence, current trust models rely heavily on the assumption that service providers follow best practices and adhere to laws and regulations, which is increasingly impractical and risky, leading to undetected flaws and data leaks. In this paper, we argue that gathering verifiable evidence during software development and operations is needed for creating a new trust model. Therefore, we present TrustOps, an approach for continuously collecting verifiable evidence in all phases of the software life cycle, relying on and combining already existing tools and trust-enhancing technologies to do so. For this, we introduce the adaptable core principles of TrustOps and provide a roadmap for future research and development.

Paper Structure

This paper contains 23 sections, 3 figures.

Table of Contents

  1. Introduction
  2. Related Work
  3. Evidence-based Trustworthiness
  4. Objectives
  5. The Life Cycle of Evidence
  6. From Raw to Authenticated Evidence.
  7. From Authenticated to Attested Evidence.
  8. From Attested to Actioned Evidence.
  9. Application Scenarios
  10. Trustworthy Open Software
  11. Enhancing Trust in Service Ecosystems
  12. Internal and External Organizational Trust
  13. TrustOps
  14. Plan:
  15. Code:
  16. ...and 8 more sections

Figures (3)

  • Figure 1: Trust as a socio-technical phenomenon ting2021trust, result of an evidence-based process, that influences people, software, and their interactions nistsp800160v1r1fitzgerald2017continuous.
  • Figure 2: The continuous life cycle process of enhancing evidence. Interactions with software generate evidence that can be authenticated to produce meaningful knowledge and attest to claims about the software's development or operation, leading to informed actions that can, in turn, produce more evidence.
  • Figure 3: Overview of the idealized TrustOps life cycle, integrated within DevOps phases.