Optimizing Continuous Deployment for Agile Frameworks and DevSecOpS

Transcript

1. A G I L E T O U R V

   I E N N A 2 0 2 5 O P T I M I Z I N G C O N T I N U O U S D E P L O Y M E N T F O R A G I L E F R A M E W O R K S A N D D E V S E C O P S A D E L I N A S T A N C I U S E N I O R E N G I N E E R I N G M A N A G E R A T F I N A S T R A

2. A B O U T M E • Over 15

   years of software development experience. • Leading teams across finance, automotive and cybersecurity. • Designed, developed and deployed scalable applications. • Independent trainer passionate about sharing knowledge. • Proficient in project planning and stakeholder coordination. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 2

3. O V E R V I E W 9 /

   1 1 / 2 0 2 5 https://agiletourvienna.at/ 3 • Resilient deployment pipelines • High availability • Business continuity Actionable insights: • Continuous Deployment in Agile Frameworks • Metrics, strategies that accelerate software delivery • Security in the SDLC with DevSecOps • Optimizing Deployment Pipelines • Fostering Collaboration Between Development, Operations and Security Teams • Examples focusing on lessons learned and outcome, release maturity level Key Topics:

4. C I / C D D E F I N

   I T I O N 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 4 Continuous Integration (CI) - is automatically building and running a suite of tests after each code change / frequent intervals throughout the day. Continuous Delivery (CD) - deploying each successful build to a test/staging environment for further validation, such as load testing or manual exploratory testing Continuous Deployment (also CD) Every change that passes all automated tests and checks is automatically deployed to production - no manual approval needed. Needs to have strong collection of tests and rollback mechanism in place

5. A G I L E P R I N C

   I P L E S I N C D - I T E R A T I O N • Align continuous deployment closely with Agile iteration principles. • Small, frequent deployments enable rapid iteration and fast feedback. • Reliable releases support continuous value delivery to customers. • Automate processes to reduce manual overhead and increase efficiency. • Teams learn and adapt more quickly through iterative cycles. • Customer feedback is incorporated earlier in the development process. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 5

6. A G I L E P R I N C

   I P L E S I N C D - C O N T I N U O U S I M P R O V E M E N T Measuring and Refining Releases Frequent deployments help teams measure outcomes, collect feedback and refine products and processes for ongoing improvement. Integrating Lessons Learned Lessons from each release are integrated, improving release planning, automation and resource allocation for better results. Role of SRE and DevOps SRE and DevOps teams use feedback to design efficient systems, while automation reduces costs and boosts productivity. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 6

7. A C C E L E R AT I N

   G V A L U E D E L I V E R Y 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 7 Rapid Feature Rollout Continuous Delivery enables teams to quickly release new features and fixes, reducing the time from concept to customer impact. Maximizing Value with VSM Value Stream Management supports frequent, high-quality releases that deliver optimal value, guided by measurable metrics. Measuring and Refining Delivery Using DORA metrics and customer feedback helps teams refine their processes and maintain a competitive advantage.

8. E N H A N C I N G D

   E V O P S W I T H D O R A M E T R I C S Role of DORA Metrics Smarter, informed decisions DORA metrics guide teams improve by tracking deployment frequency, lead time, failure rate and recovery speed. Managing Change Failure Rate Change failure rate reflects failed deployments. Balancing speed with reliability ensures stability and continuous delivery. Ideally 0-15 % rate. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 8

9. D E V O P S P R A C

   T I C E S A N D P E R F O R M A N C E Test Automation and Small Batches Automating tests and using small batches help teams quickly detect and fix defects, lowering failure rates. Trunk based development Smoke tests Frequent and On-demand Deployments High performing teams deploy updates multiple times daily to deliver value faster. Rapid Failure Recovery High performing teams - recovery from failures within an hour, reducing downtime by quickly identifying and fixing issues. Monitoring and access is needed for AppOps. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 9

10. C O N T I N U O U S

    D E P L O Y M E N T: S E A M L E S S R E L E A S E S 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 10 Automated Releases • Releases to production when all quality and compliance checks are successful. Multi-Level Testing • Unit, Integration, API, UI and security tests - reliable and compliant releases. Mocking and API Validation • Integration tests use mocks for dependent systems. • API testing automation, Postman • API security authentication, input validation

11. A U T O M AT E D D E

    P L O Y M E N T I N S D L C 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 11 Continuous Deployment automates releases, minimizing manual work after development and testing. DEV->QA->UAT->PROD Approval by group owners is needed before moving code through QA, UAT and Production. Final Release occurs after QA, UAT, Sec sign offs, delivering the software to users.

12. S T R E A M L I N E

    D C H A N G E M A N A G E M E N T Multi-Stakeholder Approvals Approval is required from change management, technical owners and group managers. ServiceNow used for change management Automated Compliance Checks Security and change management approvals -> automated scans and compliance checks Assess impact and risk. Predefined Workflow Efficiency Standardized workflows streamline processing. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 12

13. C H A N G E M A N A

    G E M E N T R I S K 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 13

14. K E Y D E V O P S P

    I P E L I N E S 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 14 Build Pipeline • The Build pipeline checks out source code, compiles it, runs automated tests and generates deployable artifacts. Release Pipeline • The Release pipeline deploys builds to various environments, incorporating approval stages for each team to ensure quality. Infrastructure Pipeline • The Infrastructure pipeline provisions and configures infrastructure resources, supporting smooth delivery and deployment for all applications.

15. B U I L D P I P E L

    I N E S 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 15

16. R E L E A S E P I P

    E L I N E O V E R V I E W The dashboard tracks four repositories through Development, QA, UAT and Production stages for clear release visibility. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 16

17. T E A M - L E V E L

    C O D E A G R E E M E N T S Pre-deployment Clear Speed Targets Team-Level Agreements define clear timeframes for code review, merging and deployment to ensure fast development cycles. Merging Priorities Urgent fixes are merged within 1 hour, small pull requests within 8 hours and complex requests within 48 hours. Prompt Feedback and Deployment Code reviews target feedback within 2 hours and urgent deployments should happen within 1 hour post-merge. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 17

18. S E C U R I N G T H

    E S D L C W I T H D E V S E C O P S Early Security Integration Embedding security in the SDLC from the start detects vulnerabilities early and reduces costly risks in production. Automated Security Scanning DevSecOps practices use automated tools for SAST, DAST and SCA scans directly within CI/CD pipelines. Collaboration and Enforcement Security and development teams review scan reports and builds fail when high-severity issues are detected. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 18

19. P R O A C T I V E S

    C A A N D I N T E G R A T I O N Continuous Monitoring of Libraries Third-party libraries are routinely checked and updated to prevent vulnerabilities, ensuring a secure software environment at all times. Integrated Security Testing Security testing is built into the deployment process, enabling automated detection and remediation of security issues immediately. Ongoing Security Assurance Verification steps maintain ongoing security assurance, ensuring any issues are quickly identified and resolved for continuous protection. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 19

20. I N T E G R A T I N

    G S A S T I N T O T H E C I / C D P I P E L I N E • Integrating both tools into the CI/CD pipeline enhances overall security posture. • Automated scans can provide immediate feedback to developers during coding phases. • Regular updates and scans ensure ongoing security compliance. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 20

21. C O N F I G U R I N

    G S A S T T H R E S H O L D S 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 21

22. I N T E G R A T I N

    G S C A I N T O T H E C I / C D P I P E L I N E 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 22

23. T H R E A T S R E M

    E D I A T I O N P O L I C Y Remediation Timeframes High-severity issues require fixes within 30 days, medium within 60 and low within 90 days to manage risk. Comprehensive Testing Approach Annual external penetration tests, along with automated scans, ensure thorough vulnerability coverage for all systems. Focus on Critical Vulnerabilities High-severity vulnerabilities often match OWASP Top 10 issues, including broken authentication, injection and access control flaws. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 23

24. T H R E A T E X A M

    P L E A N D M I T I G A T I O N Identifying CSRF Vulnerabilities CSRF attacks enable malicious commands from trusted users. We discovered these risks in the credit card payment process NS password recovery using Burp Suite. Solution Implementing Anti-CSRF Tokens for all security sensitive business functions. Verifying with Automated Testing Automated tests were created to ensure the CSRF vulnerability is fixed and cannot be exploited again. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 24

25. C O N T I N U O U S

    S E C U R I T Y M O N I T O R I N G Real-Time Security Monitoring Continuous monitoring in production environments helps promptly detect and address security issues before escalation. Vulnerability Scans - Qualys Regular scans assess all endpoints for vulnerabilities, ensuring timely identification of risks across devices. Comprehensive Cloud and Server Analysis Daily scans target servers and cloud environments, focusing on operating systems, applications, virtual machines and containers. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 25

26. R E L E A S E P I P

    E L I N E D A S H B O A R D O V E R V I E W 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 26

27. R E L E A S E P I P

    E L I N E D A S H B O A R D O V E R V I E W 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 27

28. S E C U R I T Y D A

    S H B O A R D O V E R V I E W Dynamic Security Scoring Each product's security maturity score is updated by automated scans, architecture reviews and penetration tests. Separated dashboards release and devops metrics vs security -> next unified dashboard alignment for better security posture per release. Nr of vulnerabilities/release Security Assessment and Prioritization Visualizing scores helps quickly assess security posture and prioritize security improvements throughout the release process. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 28

29. P R I O R I T I Z I

    N G V U L N E R A B I L I T Y M A N A G E M E N T 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 29 Severity-Based Prioritization • Vulnerabilities are ranked according to severity, system importance and exploitability to focus on critical risks first. Automated Detection Tools • Automated security tools scan, classify and integrate vulnerabilities - efficient tracking and action planning. Collaborative Remediation • Continuous monitoring and teamwork between Development, Security and Operations - fast risk mitigation.

30. R E S I L I E N T D

    E P L O Y M E N T S T R A T E G I E S Blue-Green Deployment Blue-Green Deployment uses two identical environments, minimizing downtime by allowing seamless transitions during software releases. Canary Deployment Canary Deployment gradually releases new versions to a subset of users, enabling quick rollback if issues are detected. Enhancing Service Reliability Both strategies significantly reduce risk, enhance reliability, and ensure business continuity during deployments. Can be combined together. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 30

31. E N S U R I N G H I

    G H A V A I L A B I L I T Y • Deploying services across multiple availability zones or regions increases resilience and supports continuous operation during outages. Distributed Service Deployment • Load balancers and traffic managers route user requests for optimal performance and automatic failover during failures. Smart Traffic Management • Content delivery networks cache content near users, reducing latency and improving load times for a better experience. Content Delivery Optimization 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 31

32. A U T O M AT E D D E

    P L O Y M E N T S T E P S • All deployment steps are fully automated, from service startup to running database scripts, reducing manual intervention. End-to-End Automation • Oracle database migrations use DBUp, providing consistency and reliability for database upgrades. Database Migrations • Release plans specify each deployment step, including manual checks such as backup verification for added safety. Detailed Release Planning • Rollback builds and scripts are maintained per repository, ensuring safe recovery from deployment failures or updates. Rollback Safety Procedures 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 32

33. I A C A N D M O N I

    T O R I N G E X C E L L E N C E 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 33 Consistent Deployment Infrastructure as Code enables reliable and repeatable Azure resource deployment. Efficient Provisioning Terraform scripts simplify provisioning, minimizing errors and saving time. Active Monitoring Ongoing monitoring supports real- time log analysis and fast issue resolution.

34. T E S T C A S E D A

    S H B O A R D I N S I G H T S 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 34 • Dashboards give stakeholders a clear, instant summary of recent test case results to track project status. Real-Time Test Overview • Passing all tests assures stakeholders that acceptance criteria are met, building trust in the project's quality. Stakeholder Confidence Boost • Test confirmation signals that the release meets standards and reduces risk before moving to production. Deployment Readiness Assurance

35. T E S T C A S E D A

    S H B O A R D • Azure API 2400 tests • Web app tests 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 35

36. R E L E A S E S A F

    E T Y - F E AT U R E F L A G S A N D H E A LT H C H E C K Phased Feature Rollout Feature flags let teams release new features gradually, minimizing the risk of widespread issues during production deployment. Efficient Flag Management Dedicated tools make it easy to manage flags and swiftly toggle features on or off. Release Safety with Health Checks Automated health checks verify environment stability before rollout. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 36

37. D E V S E C O P S :

    C O L L A B O R A T I O N Unified Collaboration DevSecOps unites Development, Security, and Operations to build secure, reliable systems through close teamwork and communication. Security Issue Resolution Security teams validate issues, reproduce problems, and guide remediation, ensuring vulnerabilities are addressed effectively and promptly. Operational Insight Operations teams provide essential logs and monitoring, contributing expertise to troubleshoot and maintain robust, secure systems. Handling Complex Scenarios In challenging cases like Redis scan timeouts, all three teams collaborate to find root causes and strengthen security. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 37

38. C A S E S T U D I E

    S - M A N A G I N G S C O P E Managing Scope Changes Strict adherence to project deadlines and careful management of scope changes prevent last-minute complications in releases. Clear Communication for Milestones QA, UAT, Sec sign offs Effective communication and strict change control help teams address defects promptly, maintaining high standards for quality and security. Recurring Themes: • Underestimated timelines and resource constraints. • Deferred issues and post-Go-Live support commitments. • Strong emphasis on structured remediation and communication. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 38

39. C A S E S T U D I E

    S - M A N U A L S T E P S Managing manual steps • One-time steps don't need to automated: install new versions, ISS configs Manual run of Oracle scripts, Oracle Migration and Pipeline Failures A major release disruption stemmed from Oracle password changes and migration steps that broke pipeline configurations. Lessons learned • All code needs to be in the repository including scripts that need to be run one time, pre or post deployment • Oracle scripts should have been identified in development and added to implementation doc Action items • Oracle migration fixes ( check any missing scripts) • Update Oracle account passwords in the API web.config. • Oracle pass and all secrets moved to pipeline • Attach Oracle scripts to changes and implementing automated alerts until dbup integration is complete • Next step Oracle migration scripts were integrated into the pipeline 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 39

40. C A S E S T U D I E

    S D B M I G R A T I O N S 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 40

41. C A S E S T U D I E

    S - A U T O M A T E R E D I S C A C H E F L U S H • Cache misses observed in the logs • Redis cache step was automated 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 41

42. A U T O M A T E S E

    C R E T S C O N F I G • Previously in files • Centralize management of secrets and keys in Azure. • Initial setup automated to be reused when keys are updated • Use access policies to control permissions effectively. • Integrate Key Vault with applications for secure access. • Enable automatic key rotation for enhanced security. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 42

43. N E X T S T E P S A

    U T O M A T I O N • Akamai step is often missed after subsequent UAT deployments • Akamai Purge is called on the pipeline after Redis Flush • Extension for Akamai Purge 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 43

44. S T R E A M L I N I

    N G R E L E A S E S Y N C A C R O S S L O B Biweekly Progress Monitoring A biweekly checkpoint ensures the release is on track with critical milestones like QA and UAT sign-off. Prompt Issue Resolution Regular syncs help quickly identify and resolve outstanding issues, minimizing delays in the release process. Optimized Resource Utilization Similar type of tasks across overlapping projects improve resource usage and workflow efficiency within the business line. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 44

45. L E S S O N S L E A

    R N E D A F T E R R E L E A S E S Documentation Walkthrough Reviewing implementation documentation confirms tasks, dependencies and completeness before the release, reducing errors and omissions. Lessons-Learned Sessions Post-release meetings involve all participants discussing successes, challenges and suggestions for improvement to refine future processes. Continuous Improvement The process of gathering and applying lessons learned increases project efficiency and effectiveness for upcoming releases. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 45

46. T H E F U T U R E O

    F C D & D E V S E C O P S Automation and Resilience Automation is central to modern CD and DevSecOps, enabling resilient systems that automatically rollback or failover when issues arise. Sign offs are completely automated. Enhanced Security Practices and Reliability Reliability is enhanced with release agents verifying gate approvals and deployment readiness. Continuous Improvement via Error Detection Advanced systems identify and analyze error patterns, enabling continuous improvement and faster adaptation to new challenges. 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 46

47. S U M M A R Y O F K

    E Y P O I N T S • Continuous deployment is an advantage, small incremental changes ensure fast feedback and more reliable releases • DecSecOps assures security is addressed early in SDLC • Robust releases process ensures quality, speed and compliance • Collaboration between Dev, Sec, Ops teams • Best practices for continuous deployment o Build, release, infrastructure o Multi-level testing o Monitoring, distributed services 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 47

48. C O N T A C T I N F

    O R M A T I O N For further inquiries or discussions, reach out anytime. Softwarecreator.dev medium.com/@adelinastanciu Adelina Stanciu 9 / 1 1 / 2 0 2 5 https://agiletourvienna.at/ 48