ShIFt: software identity framework for global software delivery

In globally distributed software delivery, autonomous teams (crowd workers, vendors etc.) work together to build complex software. One of the key challenges in such an environment is to ensure integrity of software as it crosses the teams' boundaries. For example, during globally distributed software development, vulnerable open source components should not get introduced, or code should not be inadvertently changed. To track such essential characteristics of software, we propose a notion of a composite identity of software. ShIFt - the Software Identity Framework can construct sub-identities based on various elements of a software such as the code itself, third party components, run-time configurations etc. These sub-identities are then combined to generate a composite identity of a software. The key contributions of this paper are (i) an approach to create composite software identity and detect integrity issues between two instances of software, (ii) identification of the cause that led to integrity discrepancies, and (iii) prescription of remediation measures to maintain the integrity of software in the global delivery environment. We further use a Blockchain system to store and assess software identity, and consequently maintain software integrity.