Skip to main content

Choose your country

Total PC Safe Software Deployment Practices

1. Introduction

F‑Secure's Safe Deployment Practices (SDP) document outlines our approach to ensuring reliable, secure, and controlled software deployment for the F‑Secure Total PC. This document focuses exclusively on the anti-virus feature, excluding other parts of the security suite.

Security products and their integration with Windows require careful deployment planning due to their complexity and the evolving threat landscape. This document demonstrates our commitment to maintaining a secure and resilient environment for our customers through structured deployment processes, monitoring practices, and response protocols.

This SDP documentation is reviewed and updated annually to ensure alignment with industry best practices.

2. Safe Deployment Practices Overview

2.1 Development and Testing Approach

F‑Secure utilizes a Continuous Integration (CI) model for development of the product. Our development process includes:

  • Comprehensive Unit Testing: All code changes undergo extensive unit testing with wide coverage to catch issues early in the development process.

  • Code Review Process: Our development workflow requires all changes to be submitted via pull requests, which are merged only after thorough review by other developers.

  • Automated Test Suite: Our Test Automation (TA) system runs thousands of tests on each build, covering functionality, security, performance, and compatibility with the latest Windows OS versions.

  • Security Vulnerability Scanning: We run several security tools to assess our repositories to identify and remediate potential security vulnerabilities in our code and dependencies.

  • Test Environment Diversity: Testing is performed on all latest supported Windows versions to ensure broad compatibility.

A build is only considered for beta or production release when it successfully passes all automated tests, ensuring a baseline quality standard for every release candidate.

2.2 Staged Deployment Process

We employ a carefully structured staged deployment process that follows these key phases:

  1. Beta Release (Every 1-2 Weeks):

    • Each candidate build that passes our Test Automation is released to our public beta test group.

    • This group serves as our "canary" deployment to identify any issues before wider release.

    • We collect and analyze feedback from beta users to identify and address any issues.

    • Beta releases continue until we achieve a stable build suitable for production.

  2. Monthly Production Release:

    • Once a beta build is deemed stable, we prepare it for production release.

    • Production readiness includes final verification, release notes preparation, and customer communication planning.

    • We follow a carefully controlled throttling approach for production deployment:

      • Week 1: Limited deployment to several thousand users

      • Weeks 2-3: Gradual increase in deployment volume

      • Weeks 4-5: Deployment to the remaining user base

  3. Monitoring Throughout Deployment:

    • We use Amazon Redash dashboards to continuously monitor key metrics throughout the deployment.

    • These metrics include upgrade failure rates, installation completion, and application performance.

    • Support ticket monitoring provides additional feedback about user-encountered issues.

    • Daily review of all collected data informs decisions about continuing, pausing, or accelerating the rollout.

2.3 Issue Response Strategy

F‑Secure employs a forward-fix approach rather than rollbacks when addressing deployment issues:

  1. Issue Detection:

    • Our support team creates tickets for all reported issues in our backlog.

    • The development team reviews this backlog every morning to identify and prioritize issues.

    • Metrics from our monitoring tools help identify systemic problems that may not yet be reported by users.

  2. Response Protocol:

    • For critical issues, we immediately pause the ongoing deployment to prevent further impact.

    • Based on the severity and scope, we determine whether to:

      • Create a maintenance release for significant but non-critical issues

      • Develop a hotfix for critical issues that require immediate attention

  3. Hotfix Deployment:

    • Our hotfix process enables us to develop, test, and deploy critical fixes within hours.

    • Hotfixes must pass through both our Test Automation suite and undergo manual testing to verify they resolve the issue without introducing new problems.

    • Once verified, hotfixes are pushed to all users through a special update channel.

2.4 Monitoring and Feedback Systems

Our monitoring infrastructure provides comprehensive visibility into the deployment process:

  1. Metrics Collection:

    • Amazon Redash dashboards track critical deployment metrics including:

      • Upgrade success/failure rates

      • Installation completion rates

      • Post-installation functionality

      • Application crash rates

      • Detection efficacy

  2. Anomaly Detection:

    • Our backend systems use threshold-based alerting to identify critical metric deviations.

    • Trend analysis helps identify gradual degradation that might otherwise go unnoticed.

    • Automated notifications ensure timely response to emerging issues.

  3. Feedback Channels:

    • Beta program feedback provides early warning of potential issues.

    • Daily support ticket reviews ensure all issues reported from production are evaluated promptly.

    • We actively monitor community channels and discussion boards to identify emerging issues and gather user feedback.

2.5 Continuous Improvement Process

We maintain a structured approach to continuous improvement:

  1. Post-Deployment Analysis:

    • After each production release, we conduct retrospective to examine what went well and what did not.

    • We analyze metrics, user feedback, NPS scores, and any issues encountered to identify improvements.

  2. Continuous Process Improvement:

    • We constantly look for ways to enhance our development and deployment processes.

    • Learnings from each release cycle are applied to improve future releases.

    • Annual SDP documentation updates ensure our practices remain current.

  3. Infrastructure Enhancements:

    • Ongoing evaluation and upgrades to our monitoring tools ensure optimal visibility.

    • Continuous expansion of our Test Automation suite improves coverage.

    • Regular refinement of our metrics dashboards enhances decision-making capabilities.

3. Communication Practices

Clear communication is essential to our deployment strategy:

  1. Release Communications:

    • Detailed release notes document all changes, improvements, and known issues.

    • Beta program participants receive special communications about new features and known limitations.

    • Production release announcements provide users with relevant information about updates.

  2. Issue Response Communications:

    • For critical issues, we provide clear notifications through appropriate channels.

    • Communication includes the nature of the issue, impact assessment, and expected resolution timeline.

    • Regular updates keep users informed throughout the resolution process.

  3. Feedback Collection:

    • Multiple channels enable users to provide feedback about their experience.

    • Support systems categorize and prioritize user-reported issues.

    • Beta program participants have dedicated feedback mechanisms.