Heartbleed vulnerability


One of the key themes cropping up at this weeks  Pipeline Conference on Continuous Delivery was the importance of quality and cycle time. Continuous Delivery isn't about automating your processes but delivering small incremental changes to customers quickly with low risk.

For successful Continuous Delivery you need to consider cycle time and the constraints in your processes that delay delivery. If you just focus on automation of the processes and don’t focus on the constraints then you will still be delivering software at the same pace as before.

Being able to respond and deliver changes quickly can be a business advantage but there is also one for the well being and culture of your team. If we think of the recent and critical  Heartbleed vulnerability in OpenSSL there has been the need to rapidly deploy new versions of OpenSSL and reissue potentially compromised SSL certificates.

When you deliver software every 3 months you would have to do a critical fix and production release outside your normal schedule. This would involve taking people off their normal work and could be risky and stressful time for them to fix the vulnerability quickly. You may even have to schedule maintenance time out of hours to take systems offline for the work to take place. This short notice of evening work doesn’t go down too well with employees.

At Hindsight we can deploy new features and modifications multiple times a day without interruptions. Our time from implementation completion to production release being less than 15 minutes. From the moment we heard about the security issue to the fix (including revoked and reissued SSL certificates) being deployed took little under an hour (Getting new SSL certificates took the majority of the time; 40 minutes). This was a stress free process for the team and was picked up as normal work item by a single team member. We could do this without any stress because we had a refined delivery process with a short cycle time for releases as normal practice.

There are many more business advantages to Continuous Delivery and short cycles times but emergency situations aren't often mentioned. For us these emergency situations don’t appear as emergencies, they just get picked as a normal task and released promptly just like any other feature without causing any stress to employees or risk to the business.

You may also like…