Skip to main content

Development

Secure Software Release Coordination

by on December 23rd, 2019 | ~ minute read

The ultimate goal of all software development is the secure software release of the system to a user-accessible production environment. However, the road from code to production is often a long and perilous one. To reduce the apparent risk associated with a production release, many organizations place “gates” at various points along the release path. These include validation of testing results, security policy compliance, operational preparedness to support the release, etc. The release will stall at these gates until and unless all approvals are gathered. This approach offers the illusion of control while in reality offering very little by way of actual risk mitigation.

In my previous post, DevSecOps and Release Coordination, I introduced the idea of four key players in the release management process. The idea is to consolidate the validation and approval steps from a “gated” process, and shift the actual work of validation earlier in the development process. One key role in this secure software release coordination approach is the Release Coordinator. The Release Coordinator oversees all aspects of a product release from the announcement of a release candidate through the mechanics of deployment into production. To aid teams in understanding this role better I created a persona. This is a first-person description of the role, the responsibilities, tooling, and key artifacts.

Without further ado, please meet Antony, your Release Coordinator.

Release Coordinator Persona

As the Release Coordinator, I oversee the end-to-end product release process. 

I have oversight responsibilities to ensure that applications and systems:

  • have met all required readiness states (i.e. Product, Operation, Organization, and Security readiness)
  • have been properly scheduled for release support
  • are not in conflict with any other scheduled release (e.g. dependency and resource collision management)
  • have all the appropriate resources ready on the release date. 

I work closely with the Product Owner, Development Lead, Operations Coordinator, and Infrastructure Lead to coordinate the release process and ensure that the Organizational readiness is complete for the product.

ResponsibilityDescription
Coordinate release processI coordinate with all of the relevant stakeholders (e.g. Product Owner, Operations Coordinator, Infrastructure Lead, Development Lead) to ensure a timely and correct deployment of a particular application/system.
Product release readinessI ensure that all product release readiness states are complete prior to the product release date.  Once a product is placed on the release calendar by the Product Owner, it is assumed that the Product and Security readiness states are complete.  The remaining Operation and Organization readiness states are addressed during the release scheduling process workflow.
Audit release process fidelityPeriodically, I review with all of the development teams the release process mechanics.  This includes a review of the release readiness state assurance; if issues are found with compliance to the organization requirements regarding a particular readiness state then a remediation is determined.  Audits are performed on an as-needed basis to ensure that the process remains effective and efficient.

 

Secure Software Release Coordination-Release Coordinator Persona

Figure 1. The release coordinator persona’s story, goal, and frustrations

Before the actual production deployment, there are four required key release readiness states (Figure 2). These four product statuses provide confidence to the release team, consisting of the Product Owner, Operations Coordinator, Security Architect, and the Release Coordinator, that the production candidate release is ready for prime time. This team represents the sole deciders for what is, and is not, releasing to production. The decision is only influenced by product quality, compliance, and organization’s readiness to support. Each member of the release team is responsible for one of these states; this role ensures the production release preparation for the organization. During regularly scheduled release meetings, the team reviews each scheduled product release and capture the four readiness states.  If all states are approved, the product release moves forward.

Release Readiness States

Secure software release coordination- Release Readiness States

Figure 2. Release readiness states with owning personas

In this approach, only four reviewers/approvers exist for any given product release. The full authority for that release is also only born by these four roles, which greatly improves both the speed of release approval and clearly assigns the ultimate responsibility for release success.

Tool Use and Workflow Responsibilities

The Release Coordinator typically uses several tools to schedule, track, and perform deployments. The Atlassian Jira product tracks issues, product readiness activities, and verifies the release content (i.e. release notes).  To actually execute the deployment of other toolings, such as the UrbanCode release suite, can be used. In all cases, it is helpful to include a series of user and administrator guides to assist in proper tool configuration.

Release Coordinator Roles and Responsibilites

Figure 3. Release Coordinator example tooling and workflow responsibilities

The Release Coordinator has a specific set of responsibilities. Concerning secure software release coordination, this includes the stakeholder communication plan, prioritization of the release schedule to avoid deployment conflicts, ensuring that the necessary personnel is available on the release date, and to verify all environments are ready to accept the product candidate release.

For the release readiness review, the Release Coordinator schedules the release meeting (typically on a regular cadence with exceptions for emergency releases), reviews the product readiness states with the secure software release team and verifies the scheduled release date with the Product Owner and Operations Coordinator. Covered at this time are issues with the pending release or required pre-deployment activities. Only with formal agreement from all four members of the release team is the product candidate release ready for production.

Key Artifacts

There are several key artifacts that the Release Coordinator uses, tracks, or manages:

  • Release Plan – a detailed description of the steps required for production deployment
  • Release Schedule – anticipated date and time for the product release to production
  • Assertions of Release Readiness – assertion of four readiness states (Security, Product, Operation, Organization)
  • Resourcing Plan – all required personnel and other resources are available and reserved for the deployment
  • Deployable Unit – the packaged product candidate release for deployment

Conclusion

The Release Coordinator persona encapsulates and describes the activities, responsibilities, authority, and restrictions of this critical product deployment role. As the “first amongst equals” on the product release team, this persona is the final authority on the readiness of a given product to release into a production environment. As is the case with all significant authority, the Release Coordinator is ultimately responsible for the success of the product production deployment.

Tags

Thoughts on “Secure Software Release Coordination”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Benjamin Lieberman, Director

Ben Lieberman is currently a Director in the Perficient Inc., Custom Development and DevSecOps (CDDO) delivery group. Dr. Lieberman has over twenty five years of software and systems development experience across a wide range of industries, including financial, government, telecommunications, life sciences, travel services, and space launch systems. He is highly experienced on multiple software development topics, including requirements analysis, system analysis and design, secure systems development, configuration management, and automated build/deployment (aka DevSecOps). He also has direct development experience in multiple languages including Python, Java, C#, C++, and Salesforce (APEX) coding languages, and works directly with development teams on agile delivery practices. Dr. Lieberman is an accomplished professional writer with a book (“The Art of Software Modeling”, Auerbach Publishing) and over three dozen professional IT articles to his credit. Dr. Lieberman holds a doctorate degree in Biophysics and Genetics from the University of Colorado, Anschutz Medical Center, Denver, Colorado.

More from this Author

Categories
Follow Us
TwitterLinkedinFacebookYoutubeInstagram