Abstract
Software services play a crucial role in daily life, with automated actions determining access to resources and information. Trusting service providers to perform these actions fairly and accurately is essential, yet challenging for users to verify. Even with publicly available codebases, the rapid pace of development and the complexity of modern deployments hinder the understanding and evaluation of service actions, including for experts. Hence, current trust models rely heavily on the assumption that service providers follow best practices and adhere to laws and regulations, which is increasingly impractical and risky, leading to undetected flaws and data leaks.
In this paper, we argue that gathering verifiable evidence during software development and operations is needed for creating a new trust model. Therefore, we present TrustOps, an approach for continuously collecting verifiable evidence in all phases of the software life cycle, relying on and combining already existing tools and trust-enhancing technologies to do so. For this, we introduce the adaptable core principles of TrustOps and provide a roadmap for future research and development.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
(CVE-2024-3094) https://nvd.nist.gov/vuln/detail/CVE-2024-3094.
- 2.
- 3.
- 4.
- 5.
- 6.
“Other optional tools in MongoDB Atlas require customer query log data to transit through our US-based servers.” – https://www.mongodb.com/legal/privacy.
- 7.
A continuously updating collection of these resources is available here: https://github.com/trustops/awesome-trustops.
References
Bass, L., Weber, I., Zhu, L.: DevOps: A Software Architect’s Perspective. Addison-Wesley Professional (2015)
Dauterman, E., et al.: Reflections on trusting distributed trust. In: Proceedings of the 21st ACM Workshop on Hot Topics in Networks, pp. 38–45 (2022)
Delignat-Lavaud, A., et al.: Why should i trust your code? Queue 21(4), 94–122 (2023)
Eberhardt, J.: Scalable and privacy-preserving off-chain computations. Ph.D. thesis, TU Berlin (2021)
Enoiu, E.P., et al.: VeriDevOps software methodology: security verification and validation for DevOps practices. In: Proceedings of the 18th International Conference on Availability, Reliability and Security, pp. 1–9 (2023)
Fitzgerald, B., Stol, K.J.: Continuous software engineering: a roadmap and agenda. J. Syst. Softw. 123, 176–189 (2017)
Grünewald, E.: Cloud native privacy engineering through DevPrivOps. In: Friedewald, M., Krenn, S., Schiering, I., Schiffner, S. (eds.) Privacy and Identity 2021. IAICT, vol. 644, pp. 122–141. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99100-5_10
Heiss, J.: Trustworthy data provisioning in blockchain-based decentralized applications. Ph.D. thesis, TU Berlin (2023)
Hou, F., Jansen, S.: A systematic literature review on trust in the software ecosystem. Empir. Softw. Eng. 28(1), 8 (2023)
Hühnlein, D., et al.: FutureTrust–future trust services for trustworthy global transactions. In: Challenges in Cybersecurity and Privacy-the European Research Landscape, pp. 285–301. River Publishers (2022)
Industrial communication networks - Network and system security. Standard, International Electrotechnical Commission (IEC), Geneva, CH (2009)
Security and resilience - Authenticity, integrity and trust for products and documents. Standard, ISO, Geneva, CH (2023)
Information technology - Security techniques - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors. Standard, ISO, Geneva, CH (2019)
Information technology - DevOps - Building reliable and secure systems including application build, package and deployment. Standard, ISO, Geneva, CH (2022)
Manuel, P.: A trust model of cloud computing based on quality of service. Ann. Oper. Res. 233, 281–292 (2015)
Mayer, R.C., et al.: An integrative model of organizational trust. Acad. Manag. Rev. 20(3), 709–734 (1995)
Myrbakken, H., Colomo-Palacios, R.: DevSecOps: a multivocal literature review. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) SPICE 2017. CCIS, vol. 770, pp. 17–29. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67383-7_2
European Parliament and Council of the European Union: General Data Protection Regulation (2018). https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
Ross, R., Winstead, M., McEvilley, M.: NIST SP 800-160 Vol. 1 Rev. 1: Engineering Trustworthy Secure Systems (2022)
Sánchez-Gordón, M., Colomo-Palacios, R.: Security as culture: a systematic literature review of DevSecOps. In: Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops, pp. 266–269 (2020)
Ting, H.L.J., et al.: On the trust and trust modeling for the future fully-connected digital world: a comprehensive study. IEEE Access 9, 106743–106783 (2021)
Acknowledgements
Funded by the European Union (TEADAL, 101070186). Views and opinions expressed are, however, those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Brito, E., Castillo, F., Pullonen-Raudvere, P., Werner, S. (2025). TrustOps: Continuously Building Trustworthy Software. In: Kaczmarek-Heß, M., Rosenthal, K., Suchánek, M., Da Silva, M.M., Proper, H.A., Schnellmann, M. (eds) Enterprise Design, Operations, and Computing. EDOC 2024 Workshops . EDOC 2024. Lecture Notes in Business Information Processing, vol 537. Springer, Cham. https://doi.org/10.1007/978-3-031-79059-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-79059-1_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-79058-4
Online ISBN: 978-3-031-79059-1
eBook Packages: Computer ScienceComputer Science (R0)