Harnessing Trust in the Software Delivery Lifecycle

Software is eating the world and the businesses that are able to successfully orchestrate data and software together are market leaders today. Software applications are becoming increasingly intelligent, ubiquitous and pervasive, and affecting various aspects of our life and businesses today. However, ask a software developer today about their challenges and the chances are, that you will hear the same ones from a decade ago. Software developers are still fraught with challenges arising from poor communication, unrealistic expectations, frequent changes in requirements and performance issues. There is a clear lack of visibility and trust between different teams working in the software development lifecycle, which ultimately affects the quality of the software being developed. We think, now it’s time to bring trust and transparency in the software development process. The blockchain-enabled governance framework developed by Accenture Labs supports the recording, monitoring, and analysis of various activities throughout the application development life cycle thereby building transparency and auditability in the entire process.

TRUSTWORTHY SOFTWARE

Modern software applications are no longer discrete, standalone entities, isolated from the wider enterprise. They exist as a component of complex, interconnected, living systems of technologies, applications, and people, as suggested in Accenture’s Future Systems report. Compare the complexity of modern applications to a traditional supply chain fraught with the challenges related to visibility, transparency, auditability and integrity. Modern software supply chain comprises of heterogenous, geographically distributed teams covering various aspects of the application such as development, operations and security (DevSecOps). These applications are deployed across a range of platforms and need to adhere to multiple security and regulation guidelines. Given these requirements, it is necessary to incorporate trustworthiness in the software and its delivery lifecycle. We believe that for any software to be trustworthy, it should address at least the following four concerns:

Figure 1: Attributes of a Trustworthy Software

TRUSTED SOFTWARE DEVELOPMENT FRAMEWORK

Modern software applications are no longer restricted to organizational boundaries and developers today leverage a wide range of open source tools and methodologies such as externally developed libraries from a range of sources. Moving beyond the traditional boundaries of software development lifecycle comes with its own challenges. While losing control of the delivery lifecycle is the primary one, there are also issues arising from the usage of a range of external tools, assets, processes and libraries. All this eventually affects the overall transparency and trust in the software delivery lifecycle. Hence, modern applications require software development processes to be transparent, verifiable, compliant, and accountable in order to increase the trustworthiness of the software. We propose a blockchain enabled governance framework for trustworthy software development. This framework:

•    Enables an immutable recording of provenance information using standard specifications

•    Enables the specification of compliance/regulatory rules and best practices in the form of smart contracts

•    Analyzes event data to identify non-compliance issues and raises alerts

•    Uses audit trails to assist in endorsement (certification) of compliant behavior

•    Allows for embedding domain knowledge in the form of ontologies and infers non-trivial knowledge

•    Provides awareness and prescribes remedial actions

Figure 2 illustrates the blockchain enabled governance framework for trusted software development. This can be used as an auditing framework to analyze how applications have been built and thereby assess their trustworthiness.

Figure 2: Framework for Trusted Software Development

Let us see how the framework works in a simple machine learning application comprising of four stages - data collection, data preparation, model building and model testing. We envision the following steps in this workflow:

•    A release manager specifies the stages of the workflow, best practices and the criteria for trustworthiness of the model. For example, the model can be deemed trustworthy if the generalization, robustness, and interpretability metrics are at least 95%.

•    Activities of the development team are recorded along with its aspects such as agents involved in executing the activities, artifacts generated, timestamps etc.

·    Smart contracts on the blockchain, capturing the best practices and regulations, gets triggered upon encountering certain events and they execute the logic embedded in the smart contracts. The smart advisor raises alerts of any non-compliance

•    The manager can then reach out to the smart advisor to get more insights on these alerts. Domain knowledge in the form of ontologies are fed into the smart advisor to infer context-sensitive insights. Smart advisors are also capable of prescribing remedial actions.

•    All the activities, alerts triggered, inferences obtained etc. gets immutably recorded on the blockchain. Any stakeholder can scan through these records to assess the trustworthiness of the system.

•    Certification authorities can use these audit trails to validate the goodness of models and thereby endorse the utility of the models.

The benefits of the framework are immediate and enormous; it assists in recording, auditing, and analyzing activities during a software delivery life cycle. Such a framework can assist regulatory bodies and responsible organizations in continuous monitoring and in enhancing transparency and visibility. It also helps in addressing emerging certification concerns like the one established by US Food and Drug Administration (FDA) for ‘Software as a Medical Device’ to ensure that safe and effective technology reaches all stakeholders.

A range of digital technologies such as Artificial Intelligence, Augmented/Virtual Reality, Virtual Agents etc. are disrupting our world today. In an era where software has become an integral part of our lives – both personal and professional – trust, transparency and responsibility are finding an increased resonance in the software delivery lifecycle. In this increasingly complex technological environment, the blockchain enabled governance framework intends to bring in the much needed trust and transparency in the software development process. We expect the framework to find wider acceptance in the coming years with the renewed focus on issues around safety, privacy, fairness, explainability, and accountability.

[The author would like to acknowledge the research contributions from R.P. Jagadeesh Chandra Bose, Kapil Singi, Vikrant Kaulgud, Kanchanjot Kaur Phokela and Sanjay Podder Accenture Labs, Bangalore, India and Pranav Kudesia, Accenture Research, Bangalore.]

This blog is an excerpt of our research work published in [1].

References

1.     R.P. Jagadeesh Chandra Bose, Kapil Singi, Vikrant Kaulgud, Kanchanjot K. Phokela, Sanjay Podder: Framework for Trustworthy Software Development. 1st International Workshop on Explainable Software (EXPLAIN), co-located with the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE), 2019.