Overview
This article provides a high-level overview of the FundApps Software Development policy and change management controls. It explains our continuous change and update process, which allows us to deliver software updates automatically and safely.
FundApps operates on a continuous deployment model rather than manual, on-demand release cycles. This approach ensures all users benefit from the latest features, security patches, and regulatory rule updates immediately and seamlessly.
Our Continuous Change Philosophy
At FundApps, we value simplicity, automation, and rigorous testing throughout our entire software development and regulatory rules implementation lifecycle. We do not deliver manual or scheduled client-specific updates. Instead, our teams utilise a continuous delivery pipeline to deploy small, thoroughly tested changes frequently.
Security in Project Management
We address information security requirements across all phases of our applied project methodology. If a project has the potential to affect the FundApps Information System or its data, we conduct an early-stage information security risk assessment to identify and implement the necessary controls.
Change Management Controls
To maintain strict security and system integrity, we enforce several layers of control before any code reaches production environments.
Authorising Changes
We capture significant changes to production environments in our project management tool, Shortcut, based on requirements from key stakeholders, including our Product Team, Chief Technology Officer (CTO), and Head of Information Security.
Segregation of Duties
Only members of our Engineering, Content, and Customer Success (CS) teams can submit production changes. Every change requires peer review and approval from another staff member before it can be merged into the main code branch.
Multi-Level Testing
A comprehensive testing suite is run against every proposed change. This suite includes front-end tests, integration tests, unit tests, rule tests, Static Application Security Testing (SAST), and open-source software license scans. Code cannot deploy to production if any test fails.
Emergency Rollbacks
We store all software builds securely. If an emergency arises, this allows us to immediately roll back to the last known stable build.
Change Management Steps
Every software modification passes through a structured, automated lifecycle to guarantee quality and security.
Teams scope development tasks in Shortcut and flag potential security issues.
Engineers perform the required configuration or code work as defined.
Developers propose specific code changes via a pull request.
A SAST tool scans the code for vulnerabilities, and another team member performs a manual review for quality, style, and security.
A Continuous Integration (CI) server compiles the release and runs all unit tests in an isolated environment.
We run our legislative rule testing suite using the logic and algorithms of the proposed new release to ensure behaviour and semantics are maintained.
The release deploys to a main testing environment, undergoes a series of automated feature tests, and then moves to a main staging environment to verify that it can be deployed successfully with production configuration and infrastructure.
Once all checks pass, our automated system promotes the release to all client staging environments, followed sequentially by all client production environments.
A Dynamic Application Security Testing (DAST) tool scans a client-like environment weekly to detect new vulnerabilities.
Full Policy Access
For a deeper look into our technical governance, you can review the complete document on the FundApps Policy Portal.