Trust in software through design thinking
--
Reducing data and trust breaches caused by software used by organisations worldwide
We are working with Google and partner organisations, alongside an ecosystem of open source developers, to make software trustworthy.
This takes changing the culture of software development
Today roughly 70–90% of any software consists of open source software, and 84% of that software has a vulnerability.
Many of those vulnerabilities lead to the disruption to vital services and big data breaches that we’re seeing. These breaches make us all worry -
- Can I trust that my hospital’s IT systems will be working when our patients need healthcare?
- Can I trust that my banking data is secure?
- Do we know what software we use and what data we hold?
Log4J was a recent vulnerability. It impacted over 35,000 Java packages used by hundreds of thousands of organisations.
For business, vulnerabilities in software makes using software very expensive
Software is often unsafe for many reasons, from how it’s written to how it gets deployed. Some of these challenges are hard. Some come from a lack of best practise, or that best practise isn’t yet a cultural or operational norm.
IF is helping to design, build and ship products and services developers can trust
We are working closely with Google Open Source Security (GOSST). We work with the engineering teams at GOSST as an external product team.
Optimising for trust means optimising for adoption
The aim of our work is to help design tooling that developers can trust, in order to maximise adoption and market share of those tools. That’s because changing the culture of software development is only possible with critical mass. Critical mass of developers, policy makers and technology leaders who are willing and able to make those changes happen.
Changing how software is made to optimise for trust, means reducing risk for all organisations that use technology.
Trustworthy software unlocks value for:
- Individuals: frees up developer resource to build features not manage security risks.
- Business: reduce costs.
- Society: makes the software our society depends on more secure and reliable
“If we don’t take software supply chain seriously, then people will copy the bad patterns.” — Head of Open Source read more of the research
The impact of this work is significant
Sigstore, Scorecards and SLSA are some of the products we are working on. All of these are in use in major multinational companies that underpin the services we use every day.
- They are of international strategic importance, even discussed in the White House Summit on Open Source Security last week.
- They are now integrated into Google Cloud.
- Now major technology firms have pledged $140m over the next two years to help the Open Source Security Foundation carry out its roadmap.
- Sigstore is now a GitHub action, which means it is now automated as part of using GitHub. It’s also being incorporated into Ruby and Kubernetes.
What does it take to design for trust?
We take an ecosystem perspective
We act like a translator and strategist for GOSST. We understand the technology whilst also imagining its implications at an ecosystem level. That’s important. This work is about designing new trusted systems. Systems that consist of capabilities, approaches and, above all, people that provide ways of earning and preserving trust.
While this work is delivered in the form of products and services, the issues they touch on represent deep, philosophical change at a systems level. They influence and inform bigger policy decisions that sit across company and state boundaries. This is about shaping a new system that’s more resilient, and capable of strengthening consumer and stakeholder trust.
We design for equity
There are many communities and individuals around the world who develop and consume open source software. They span the public, private and third sectors. We are emphasising speaking to historically underrepresented developers upfront in our research. To ensure that what we design supported their needs, to scale the ambition of the different products and services.
We act as a trusted 3rd party
This is a fascinating and complicated area to work in. The technology landscape is advanced and the communities are decentralised. So bringing parties together, from corporates to open source communities, into spaces with high trust has been critical to the success of the projects. We act as trusted 3rd party and build common language and understanding to raise and set new standards of practise.
We design with new methodologies
We have been using our methodologies (being published soon) that strengthen and repair trust by building more discipline around responsibility during product creation. They include making ethics conversations tangible, practical and implementable. Frameworks that guide product development decisions, raise ethical trade-offs and encourage conversations across teams to de-risk activities and raise the quality of the user experience.
“Working with IF is a pleasure. Their high quality of work, unique methodologies and ways of working meant we could accelerate our products in a way that I’ve not seen with other teams.” — Kim Lewandowski, cofounder Chainguard.
The Return on Trust
At IF, we are redesigning trust in technology.
We believe that different entities (for example people, businesses, institutions) should be able to easily and reliably decide whether to trust in each other. Our work aims to help with two parts of this vision. We help:
- Organisations become more trustworthy, and demonstrate that trustworthiness to their users through better products and services
- Create an enabling environment, or trust infrastructure, of third parties and capabilities that help people navigate trust.
We’re proud to be working with GOSST and their partners on redesigning what trust in open source software means, and how that manifests itself in products and services.
If you think you could benefit from these approaches then we’d love to hear from you. Let us know, say hi.