Service
Continuous Integration & Delivery
Overview

Agile development enables an organization to work iteratively and deliver incrementally. To help realize this goal, Quoin can recommend, adapt, and configure the tools and processes for Continuous Integration and Continuous Delivery (CI/CD). Although Quoin has experience in all aspects of development, we focus on build, test, and deployment functions since process improvements here yield the greatest impact on a development organization.

Experienced

We use these tools for managing tasks, source code, build, testing, and deployment on all client and internal projects, and can use this experience to help your organization be more productive.

Adaptive

Quoin understands that organizations work differently and brings best practices from different methodologies support on-premises and cloud-based deployments.

Comprehensive

Our approach includes tools, practices, and coaching to ensure successful deployment with an organization.

Measurable

We trust in data, and can help your organization establish metrics for productivity and quality that will ensure an effective and sustainable model for agile development.

UNICEF Primero

Shown here is the main build and deployment dashboard for UNICEF Primero, which has a full CI/CD environment used by our global development team.

Approach

Agile Development

We are enthusiastic practitioners of agile and lean practices on Quoin and client projects. We use this user-centric approach because of demonstrated results in improved productivity and quality over traditional methodologies. In helping clients adopt agile, our focus is on improving collaboration, communication, and accountability in software development. We understand that agile is not just user stories and stand ups – an effective process has to address management and implementation practices to achieve increased development and team productivity.

Containerized Deployments

As part of our CI/CD process, Quoin uses tools like Ansible (www.ansible.com) and Docker (www.docker.com) to containerize and automate deployments. Containerization allows us to constantly push new code integrations into a production-like environment. This ensures that we are running and testing our code under conditions that mimic real usage as closely as possible. We have also found that this process produces exceptional code stability and application security. Because Docker is platform-agnostic, applications that are deployed via Docker may run on any flavor of Linux as well as Windows Server. If a project team decides to change an application’s setup in the future, such as infrastructure upgrades or deploying the tool in other contexts, Docker’s platform-neutrality will ease the transition and reduce deployment cost and time.

Cloud Hosting

Quoin has designed, deployed, and maintained applications on a number of cloud hosting providers, including Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). Cloud-based deployment carries a number of advantages over other approaches:

  • Low server costs with no hardware support overhead
  • Very high guaranteed availability SLAs
  • Tools to accommodate deployment of Docker containers
  • Transparent hardware security maintenance undertaken by Microsoft
  • Automatic server scaling to meet spikes in demand
  • Data durability and backups
  • Wide array of data center locations, allowing for a server configuration which ensures data transit between jurisdictions with strong data protection regulations
  • Specialized tooling for running databases that include database-specific scalability and backups
  • Tools to guarantee application high availability
  • An explicit contract with Microsoft that acknowledges UNICEF's unique privileges and immunities

Production Servers

While the specification of the hardware, operating system, and other software for a production environment will depend on the use case for the application in question, we generally recommend the following measures for most applications:

  • Performance and Availability: Leverage clustered servers and load balancers to ensure spikes in demand do not affect user load times or result in site outages
  • Monitoring and Resource allocation: Allocate system resources (disk space, memory, CPU) based on expected usage. Monitor those resources and respond proactively based on real-life resource utilization
  • Security: Ensure that basic system security patterns are in place and follow the principle of least privilege: SSH access is hardened and key-based, network ACL rules limit access, services and files are configured to run under least-privilege users, logs and temporary files are being consistently cleaned up
  • Backup: Configure backup and restore capabilities to protect against data loss
  • Disaster Recovery: Leverage clustered servers, backup, and image management to provide a robust and well-documented disaster recovery process

Security

Quoin is committed to security and privacy and approaches the configuration of applications and web-based systems with a security-first mindset. QUOIN’s comprehensive security strategy addresses hardware, network, operating system, and software

  • Use Best Practices: Follow well designed and widely accepted guidelines to reduce the risk and cost of building a secure system
  • Minimize Exposure: Reduce the number of exposed interfaces in order to reduce the risk of compromise
  • Simplicity: Security tools and processes that are difficult to understand, implement, or validate carry a risk of misapplication, which can create vulnerabilities
  • Defense in Depth: Layer multiple security mechanisms to increase overall system security. If an attack causes one security mechanism to fail, other mechanisms continue to protect the system. Defense in depth must be balanced with the simplicity principle
  • Least Privilege: Restrict user and group accounts to the minimum permissions sufficient to perform their functions. This includes restricting user and group rights and access to resources such as the file system, network, memory, and CPU
  • Fail Securely: When a configuration error or other security failure occurs, the default setting or action should always maintain security
  • Active Monitoring: Actively test the system to verify the current configuration, scan for new vulnerabilities, and detect intrusions
  • Automate: A scripted, repeatable, and consistent deployment process allows system security issues to be addressed like any other bug: once, in code, with source control

Software Configuration Management (SCM)

We use a wide range of tools for day-to-day implementation of work, including coding, debugging, source control, build, and continuous integration tools. We believe that many development organizations ignore the time and effort expended by poor SCM practices. We therefore focus on improving these fundamental processes. For example, a Quoin consultant can help an organization define an effective process for branching, reviewing, merging, and creating a new release. We have seen how improving these practices can save countless hours of engineering effort by reducing the 'waste' of failed releases.

Quality Assurance

Quoin views quality as intrinsic to the full development lifecycle and not a discrete function that can be accomplished after implementation. Thus, our teams apply practices throughout development that yield high quality software; for example, specifying user-acceptance criteria as part of a user story, or writing tests first before implementing any new object or module. Furthermore, we seek to leverage automated testing, including unit- and system-level regression testing. Our consultants can help a client embed these quality practices in requirements analysis, implementation, and testing phases of a project. The figure below shows the testing processes and primary role responsible for each in our comprehensive approach.

Release Management

Our project teams work closely with client staff to build, release to pre-production environments for quality assurance, and release to production. Thus, we understand the process and tools for dev-ops and release management. Our focus here is on using automation for building, testing, and releasing software to improve reliability, eliminate human errors, and ultimately reduce the effort for this critical function.