How To Release Compliant Software on Demand
How To Release Compliant Software on Demand

How To Release Compliant Software on Demand

In this blog we’ll explain how to automate the change and release compliance in a Secure Software Development Lifecycle. Merkely is new technology that enables teams in regulated industries, like fintech, to release compliant software on demand.

Software in regulated industries

The modern world runs on financial transactions, air traffic control, insulin pumps, and car braking systems. When technology becomes critical to our lives and our economies there is increased demand from customers and regulatory bodies to control associated risks.

To meet these requirements, organizations must define software development processes that ensure that safety and security risks are managed in a professional and repeatable manner.


Having defined and implemented a process, it is critical to document proof that the process is being followed. It is this evidence that auditors and bodies like the FCA use to ensure that your organization is compliant with the regulations.

The Bottleneck Problem

Regulated software development processes require many activities like version control practices, code review, security scanning, testing, and more. Typically, these activities are spread over several software systems.

This makes it hard to know if the compliance process is being followed and to know what to do if/when compliance steps are missed. Eventually, this creates a headache when it’s time for release and audit. Gathering the data to prove compliance is a manual, costly, time-consuming process. It’s also shown to be poor at mitigating risk and insider threat.

As software takes an increasingly central role in the success of all types of businesses, the demand to deliver more frequently increases the pressure on innovation cycle times.

For regulated industries like fintech, this creates a change management bottleneck at the end of the software delivery cycle. The challenge we face is overcoming the manual and bureaucratic processes that worked well in the past, but are no longer fit for purpose in today’s dynamic software development environments.

Breaking the DevOps Compliance Barrier

Research at DevOps Research Assessment (DORA) proves that today’s best performing technology organizations practice DevOps. However, meeting compliance requirements with DevOps demands a new approach. How do we release complaint software every day when our change management regime forces us to batch changes for release once every 3-6 months? How do we reconcile rapid software delivery with onerous change management processes?

Most regulations are written for general guidance and don’t specify an exact recipe to follow. To comply, organizations have traditionally implemented manual documentation and gate-checks, with every software release documenting the proof that the agreed processes have been followed.

Merkely provides a way of automating all the documentation and checkpoints necessary to comply with regulations.

How does Merkely work?

Merkely is a special type of database for recording your software process automatically. It provides an API for recording various compliance events such as build, code review, security scan, or release, directly from your DevOps pipelines. Implementing this central system of record provides insight across the organization, giving development, operations, security and risk a shared view of compliance.

An important consideration when choosing how to store this data is how it will be used. When the goal is to prove compliance with a software process, it is essential that the data is stored using a provable, secure, tamper-proof method.

Storing information in a way that allows for untraceable modification is pointless. This is why Merkely is based on an append-only datastore. It allows new versions of data to be added without losing the history. It is only with this non-modification guarantee that compliance can be proven.

Having a Merkely means you can begin the journey to Continuous Compliance by automating change and release controls.

Change Control

The first step in automating your software process compliance is to start recording the audit trail in your DevOps pipeline. The DevOps pipeline is the best place to do this because it is the heartbeat of software change.

By recording the relevant data in your DevOps pipeline you can query it for change control. How this is implemented depends on your process, but it could be a pre-merge control, or an artifact promotion control. However you approach this, the end result is the same: all changes in your software are automatically compliant with your process.

Now you have your software change process under control the next step is to manage the release process.

Release Control

Most software releases are made up of a collection of individual changes. The challenge this imposes on regulated software teams is proving that all of the changes included in a release have followed a specified process.

Merkely provides aggregate and composite views of change. This enables all stakeholders to share a common view of compliance across development, test, security, internal and external audit, automatically.

Continuous Compliance with Merkely

Delivering at pace within a safe, secure, and repeatable process puts demands on regulated industries. But, by implementing Merkely, teams in these regulated verticals can unlock much more of their DevOps potential.

Why not try it for free?

Top Articles

DevOps Engineer in Customer Success and Developer Relations 🚀

DevOpsCon: Munich & Online. Making friends with change

What does it mean to deliver software with Continuous Compliance?

Published March 9, 2021 in
Michael Long
Michael Long

Subscribe to The Merkely Meteor for all the latest news, updates and ch-ch-changes

Subscribe to the Merkely Meteor

More posts in technology

What does it mean to deliver software with Continuous Compliance?

In this short video, Mike Long, our Co-founder and CEO, explains how teams delivering software in regulated industries can achieve CI/CD using CC = Continuous Compliance. If you deliver software in a regulated environment you’ll be familiar with change management processes.

How to automate a secure chain of custody across your pipelines in 5 steps

Imagine you’re a Fintech CTO 🤓 with several teams and tens of microservices. Do you know what’s currently running in prod? How about yesterday? A week ago? Last month? And if you do know what’s in prod, do you also know how it got there?

How to Ensure Software Provenance. Just like Google.

Google has always been a leader when it comes to security culture, and google’s approach to managing a secure development lifecycle is no exception. This article introduces Google’s Binary Authorization for Borg (BAB), and will show you how you can implement the same binary authorization system to ensure that production software and configuration deployed in your organization is properly reviewed and authorized.

Subscribe to The Merkely Meteor for all the latest news, updates and ch-ch-changes

Merkely is committed to protecting and respecting your privacy. Don’t worry if you change your mind you can opt out at any time - Review our Terms and conditions and Privacy Policy
Subscribe
Merkely is committed to protecting and respecting your privacy. You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our Privacy Policy.
Subscribe to the Merkely Meteor