Providing customers with a secure and highly innovative leading edge product delivered at high velocity with high quality is a cornerstone of One Model's core values.
The One Model product development group runs in continually rolling two week sprints. At the end of each sprint the latest software is deployed to a pre-production environment and then approximately two weeks later deployed to production for all customers.
Rigorous quality assurance testing is performed at each stage of the development cycle, i.e.:
- Individual Software Developer environments
- Development - a shared space for all merged code
- Pre-Production - release candidate testing
As per contemporary approaches to software development the individual scrum teams (which are composed of Software Developers, Product Managers & Quality Assurance) factor security, testing and quality assurance as part of the process of defining, building and defining all work.
Individual developers build integrated tests into their software and promote this into the shared Development environment.
Automated and manual quality assurance testing is performed in the Development environment to confirm the expected behaviour of each new feature, enhancement of bug fix as well as broader regression testing. This review is performed by the dedicated Quality Assurance Team, Product Management and all code is peer reviewed within the Development team.
At the end of the sprint the software in the development environment is released to the Pre-Production environment. The pre-production environment is managed and protected in the same way as the production environment and runs the same infrastructure configuration. The pre-production environment is designed to ensure real-world integration stability across the whole application and for end-to-end quality assurance testing using real external system connections provided by customers for testing purposes.
After final testing in the pre-production environment, the release is deployed into the production environment for customers. At time of release customer data loads and other processes are paused and resumed post-release. Post release testing is also performed to ensure the health of the production environment and confidence that customer data is flowing as expected.
Secure Development Lifecycle
One Model follows the Microsoft Security Development Lifecycle (SDL) practices to reduce the number and severity of vulnerabilities in our software. These practices include:
- Providing security best practice and secure coding training to software developers
- Defining security requirements
- Managing the risk of third-party components
Issue Intake and Root Cause Analysis Process
Issues identified in the production environment can be identified by the One Model team or customers. The One Model team has a range of monitoring in place to continually assess the health of the application and the operating environment. Additionally, the development team proactively reviews logs and system telemetry on a daily basis to find issues and relay them to the appropriate One Model team members for investigation.
When customers identify and report issues these are firstly investigated by the appropriate customer contact and triaged in terms of the area of the application and required expertise. Naturally sometimes issues present as one thing and are found to be something else and One Model's approach to deep collaboration across teams aims to ensure the right problems have the right people working them to resolution.
Customer issues are first reported via a support ticket, or directly to the One Model Customer Success representative, who aims to identify if it is related to configuration, existing application functionality, a possible data modelling issue, the AWS operating environment or possible software bug. If not solved directly, the customer success team will often consult with their counterparts in other teams to determine what category of issue they are dealing with. One Model runs an internal collaboration application that facilitates this conversation in a centralised manner.
Data modelling issues are prioritised and resolved by the data modelling lead assigned to that customer. Sometimes these issues require software enhancements and these are logged in JIRA and discussed with the Product and Development team for prioritisation on the roadmap.
Potential software bugs are logged as issues in Jira. The Development team will triage the issue and assess priority based on input from the customer success team and customer. Critical issues are immediately assigned to a Developer for analysis and resolution (supported by the broader Development team as needed).
Once a solution has been identified for a critical customer issue regular processes are followed to peer review the solution/code, perform testing and merge into the Development environment.
The decision to issue a software patch will be made based on balancing the complexity and interconnectedness of the code, overall risk to stability and customer criticality. Patches are approved by engineering leads, or One Model's CTO, and firstly patched to the pre-production environment for real-world testing and then released to the production environment. Tests would follow this process through to Production and confirmation that the issue was resolved. For critical issues, or issues where the cause is specific to a customer's data or configuration a patch can be issued directly to the production environment.
All software development work is tracked and managed via JIRA where trends monitored detailed root causes analysis conducted with after action reviews and retrospectives performed in an open collaborative environment to ensure continuous improvement.