Biblio

Intelligent software applications are becoming ubiquitous and pervasive affecting various aspects of our lives and livelihoods. At the same time, the risks to which these systems expose the organizations and end users are growing dramatically. Trustworthiness of software applications is becoming a paramount necessity. Trust is to be regarded as a first-class citizen in the total product life cycle and should be addressed across all stages of software development. Trust can be looked at from two facets: one at an algorithmic level (e.g., bias-free, discrimination-aware, explainable and interpretable techniques) and the other at a process level by making development processes more transparent, auditable, and adhering to regulations and best practices. In this paper, we address the latter and propose a blockchain enabled governance framework for building trustworthy software. Our framework supports the recording, monitoring, and analysis of various activities throughout the application development life cycle thereby bringing in transparency and auditability. It facilitates the specification of regulations and best practices and verifies for its adherence raising alerts of non-compliance and prescribes remedial measures.

The software development life cycle (SDLC) starts with business and functional specifications signed with a client. In addition to this, the specifications also capture policy / procedure / contractual / regulatory / legislation / standard compliances with respect to a given client industry. The SDLC must adhere to service level agreements (SLAs) while being compliant to development activities, processes, tools, frameworks, and reuse of open-source software components. In today's world, global software development happens across geographically distributed (autonomous) teams consuming extraordinary amounts of open source components drawn from a variety of disparate sources. Although this is helping organizations deal with technical and economic challenges, it is also increasing unintended risks, e.g., use of a non-complaint license software might lead to copyright issues and litigations, use of a library with vulnerabilities pose security risks etc. Mitigation of such risks and remedial measures is a challenge due to lack of visibility and transparency of activities across these distributed teams as they mostly operate in silos. We believe a unified model that non-invasively monitors and analyzes the activities of distributed teams will help a long way in building software that adhere to various compliances. In this paper, we propose a decentralized CAG - Compliance Adherence and Governance framework using blockchain technologies. Our framework (i) enables the capturing of required data points based on compliance specifications, (ii) analyzes the events for non-conformant behavior through smart contracts, (iii) provides real-time alerts, and (iv) records and maintains an immutable audit trail of various activities.