Trust in software through design thinking

Sarah Gold
Writing by IF
Published in
5 min readMay 19, 2022


Reducing data and trust breaches caused by software used by organisations worldwide

We are working with Google and partner organisations, alongside an ecosystem of open source developers, to make software trustworthy.

This takes changing the culture of software development

Today roughly 70–90% of any software consists of open source software, and 84% of that software has a vulnerability.

Many of those vulnerabilities lead to the disruption to vital services and big data breaches that we’re seeing. These breaches make us all worry -

  • Can I trust that my hospital’s IT systems will be working when our patients need healthcare?
  • Can I trust that my banking data is secure?
  • Do we know what software we use and what data we hold?

Log4J was a recent vulnerability. It impacted over 35,000 Java packages used by hundreds of thousands of organisations.

For business, vulnerabilities in software makes using software very expensive

Software is often unsafe for many reasons, from how it’s written to how it gets deployed. Some of these challenges are hard. Some come from a lack of best practise, or that best practise isn’t yet a cultural or operational norm.

IF is helping to design, build and ship products and services developers can trust

We are working closely with Google Open Source Security (GOSST). We work with the engineering teams at GOSST as an external product team.

Optimising for trust means optimising for adoption

The aim of our work is to help design tooling that developers can trust, in order to maximise adoption and market share of those tools. That’s because changing the culture of software development is only possible with critical mass. Critical mass of developers, policy makers and technology leaders who are willing and able to make those changes happen.

A graph showing increased contribution to the Sigstore project over time
While this cannot all be attributed to IF’s work, there were many other people doing engagement and communications work. The sigstore community grew significantly when IF began work. Sourced from Linux Foundation insights

Changing how software is made to optimise for trust, means reducing risk for all organisations that use technology.

Trustworthy software unlocks value for:

  • Individuals: frees up developer resource to build features not manage security risks.
  • Business: reduce costs.
  • Society: makes the software our society depends on more secure and reliable

“If we don’t take software supply chain seriously, then people will copy the bad patterns.” — Head of Open Source read more of the research

The impact of this work is significant

Sigstore, Scorecards and SLSA are some of the products we are working on. All of these are in use in major multinational companies that underpin the services we use every day.

A low-fi concept: Integrating sigstore with GitHub from our original discovery work. Sigstore is now being integrated as a GitHub action.
Imagining Sigstore as a globally adopted signing and verification standard, from our original discovery work.

What does it take to design for trust?

We take an ecosystem perspective

We act like a translator and strategist for GOSST. We understand the technology whilst also imagining its implications at an ecosystem level. That’s important. This work is about designing new trusted systems. Systems that consist of capabilities, approaches and, above all, people that provide ways of earning and preserving trust.

While this work is delivered in the form of products and services, the issues they touch on represent deep, philosophical change at a systems level. They influence and inform bigger policy decisions that sit across company and state boundaries. This is about shaping a new system that’s more resilient, and capable of strengthening consumer and stakeholder trust.

We design for equity

There are many communities and individuals around the world who develop and consume open source software. They span the public, private and third sectors. We are emphasising speaking to historically underrepresented developers upfront in our research. To ensure that what we design supported their needs, to scale the ambition of the different products and services.

We act as a trusted 3rd party

This is a fascinating and complicated area to work in. The technology landscape is advanced and the communities are decentralised. So bringing parties together, from corporates to open source communities, into spaces with high trust has been critical to the success of the projects. We act as trusted 3rd party and build common language and understanding to raise and set new standards of practise.

We design with new methodologies

We have been using our methodologies (being published soon) that strengthen and repair trust by building more discipline around responsibility during product creation. They include making ethics conversations tangible, practical and implementable. Frameworks that guide product development decisions, raise ethical trade-offs and encourage conversations across teams to de-risk activities and raise the quality of the user experience.

“Working with IF is a pleasure. Their high quality of work, unique methodologies and ways of working meant we could accelerate our products in a way that I’ve not seen with other teams.” — Kim Lewandowski, cofounder Chainguard.

The Return on Trust

At IF, we are redesigning trust in technology.

We believe that different entities (for example people, businesses, institutions) should be able to easily and reliably decide whether to trust in each other. Our work aims to help with two parts of this vision. We help:

  1. Organisations become more trustworthy, and demonstrate that trustworthiness to their users through better products and services
  2. Create an enabling environment, or trust infrastructure, of third parties and capabilities that help people navigate trust.

We’re proud to be working with GOSST and their partners on redesigning what trust in open source software means, and how that manifests itself in products and services.

If you think you could benefit from these approaches then we’d love to hear from you. Let us know, say hi.



Sarah Gold
Writing by IF

Designing for trust. Founding partner and CEO @projectsbyif