Skip to main content

Phase 5: Implementation

During the Implementation phase, the tested and approved application is deployed into the production environment. For Osborn, this process is automated via Bitbucket Pipelines and follows a strict branch promotion workflow.

Key Activities

1. Deployment

  • Staging Deployment: Code is first promoted from develop to the stage branch, which triggers an automatic deployment to the staging environment for final QA and UAT.
  • Production Deployment: After successful validation in staging, the code is merged from stage to main. This action triggers the production deployment pipeline.
  • Infrastructure as Code (IaC): The production deployment of infrastructure is executed using validated IaC services, ensuring consistency with the lower environments.
  • Segregation of Duties: For any manual steps, the person who develops a change cannot be the one to deploy it. In Osborn, this is enforced by the Bitbucket PR and merge process, where developers do not have direct access to merge to main.

2. Final Security Validation

  • Enable Security Controls: All required security controls are enabled and configured in the production environment as part of the automated deployment.
  • Web Application Firewall (WAF): The Osborn application is placed behind the Omnicom Corporate Web Application Firewall (WAF).
  • Dynamic and Penetration Testing: For major releases, final security testing is scheduled with Omnicom AppSec. This includes:
    • Dynamic Application Security Testing (DAST)
    • API Testing
    • Penetration Testing
  • Final Security Review: Key stakeholders and leadership conduct a final security review before the production release is signed off.

3. Documentation and Training

  • CMDB Updates: The application's component and configuration information must be updated in the Configuration Management Database (CMDB) hosted in the ServiceNow platform. This is typically triggered by the deployment pipeline.
  • System Documentation: Final design and operating instructions are updated and stored in this documentation site.
  • Training:
    • System administrators are trained on any new security or operational requirements.
    • End-users are trained on the new features.

Control Point

  • The final Control Point is the merge to the main branch, which must be approved by the designated project leads in Bitbucket.
  • No Critical/High Vulnerabilities: The Bitbucket pipeline will block any deployment to production if any known Critical or High vulnerabilities are detected. End-of-Life (EOL) libraries are considered High vulnerabilities.
  • This control point ensures that all quality, business, client, testing, and security approvals are complete before the solution goes live in the Operations/Maintenance phase.