Delivering CI / CD capabilities with suitable guardrails to support multi-supplier software development
The aim was to help move the department from legacy technology and waterfall ways of working to a modern, more collaborative department that would allow the free flow of change in a secure and agile way.
The department had selected Microsoft Azure as the target Cloud Platform, with the implementation being delivered by a 3rd party provider.
At the time of engagement, the department has sporadic tooling associated with small pockets of software development and long release and deployment processes. Additionally, security testing was either poorly defined and executed or missing completely from the development process.
What we did:
We implemented a system for managing software development that allows for easy and secure changes, even when working with multiple teams. In order to achieve the right outcomes for the client, we embarked on the following activities:
- Conducted discovery work to understand development capabilities across multiple suppliers and levels of maturity.
- Assessed levels of governance and control required for future state to support rapid and secure development and deployment.
- Defined suitable and appropriate branching and merging guidance that was supported by pipelines with correlating guardrail.
- Implemented starter Azure DevOps pipelines integrated with GitHub, following a controlled method to enable all new projects with a standardised proccess.
- Developed all service connections, agents and environments provision through repeatable infrastructure-as-code utilising Terraform and ARM templates.
- Implemented code vulnerability scanning to the pipeline through Checkmarx integration.
- Coached all new development team members on the 'four eyes principle' and techniques for clean coding.
- Continue to run an active backlog of improvements relating to overall CI /CD
- Improved agile velocity - removing the necessity to remove code blockages allowed rapid switching between different types of work very quickly and avoided consuming time unnecessarily.
- Enabled control by ensuring code would not be overwritten when switching branches and a potential loss of code due to developer mistakes
- Vulnerability scanning at pull request drove greater confidence in software quality.
- The four eyes principle reduced the introduction of mistakes to the build processes.
- Software quality increased due to introduction of automated unit tests aligned to the pipeline proccess.
- The quality of developer experience improved through self-serve tooling aligned to governance controls, created safe space for developers to be creative.
- Infrastructure standards improved and the scalability of the Azure instance grew due to repeatable Infrastructure as Code.
- Onboarding times for new third-party development teams were reduced from four weeks to a couple of days.
- Cloud Operations and Security teams had closer alignment with the software development teams.