It was brought to my attention that a customer of ours, Build.com, was using our software development tools to achieve PCI compliance. I was eager to speak with them so that other companies trying to attain the same security standard could learn how our tools can help.
I got the chance to talk with Justin Palmerlee, Director of Software Operations, regarding their use of our agile development tools.
Can you tell us about Build.com?
Build.com is the new face of online home improvement. We offer services online that you used to have to go to a brick-and-mortar for, like Lowe’s or Home Depot. The direction of the market is all online – look at Amazon or Newegg. People used to go to physical stores for books or computer components, but are now shopping online. We have the same concept for online home improvement. We actually just surpassed Lowe’s for the number two spot in the United States and hope to surpass Home Depot. The key to our success is our home built order management and store platform software.
How did you start using Atlassian tools?
When I joined the company two years ago, we had just started using JIRA and Confluence. It was my responsibility to make these software development tools popular within our company. I needed to get people using JIRA for task management, get our software lifecycle in JIRA, and get people to use the enterprise wiki to share documents and notes. I started by developing a support environment because support was the first team I felt needed to get integrated. I created email handlers so people could just email firstname.lastname@example.org and a support ticket would automatically be created; our support team could then investigate and handle the issue. That became really popular and JIRA advertised itself. Users were really impressed with how well-organized ticketing worked.
How did you learn about JIRA?
The only bug tracking software I used prior to JIRA was Mantis. I was given the Atlassian tools and was supposed to make them work. I dug right in, went to the Atlassian site, completed tutorials, and went with it. I was able to pick up the usage easily. There have been UI and usability improvements since, but even with our original version I was able to pick JIRA up and run with it. If you have the drive, you can do amazing things with JIRA.
Check out the Top 5 Reasons Mantis users GO JIRA!
How are you using JIRA?
We started with three projects: 1) order management console, 2) build store platform, and 3) helpdesk. Our main development projects for our leading products are the order management console and store platform. We started with those three, and in just two years we have expanded to 42 projects.
Our JIRA helpdesk supports external customers, but mostly our internal employees. We get feedback from customers and then create JIRA tickets if need be. This is how we identified a need for JIRA – before, we’d just have developers look at our bug-dump and go in and try to make fixes without reporting. No one knew what was going on. Our VP of Software Development, my supervisor, decided we needed something that worked better, had more transparency, and allowed more people to collaborate. He went with JIRA and tasked me with making it popular and work for the company.
Once our helpdesk was set up, people started asking me for custom workflow designs – it got very elaborate. We have everything integrated: from hiring requisitions to system downtime notifications to all of our data teams. We actually have integrations from our internal site right into JIRA so that ISRs can mine a data product problem. We also manage do-it-yourself video projects – we have JIRA set up so that our media team can go to an employee’s house, install something and film it for our site. We track these types of projects in JIRA step-by-step. Everything you can imagine runs through JIRA and it all started from creating a helpdesk environment that people really liked.
Can you comment on how your projects are organized?
The current projects really span across every department within the company. Our IT team, help desk, all of our PM teams, and vendor relations teams who do the entire vendor acquisition process are all coordinating with the issue tracker. We have also facilitated company contests in JIRA. For example, HR wanted to make a new logo when we acquired the site “Build.com” because our original company name was “ImprovementDirect.” We wanted Build.com to be our brand name going forward. We had people submit to email@example.com which created a JIRA ticket and from there our HR team reviewed the tickets. We’ve really expanded the use of JIRA to everything. It’s gotten so large we’ve even considered going to multiple instances of JIRA as we continue to expand.
Have you customized Atlassian’s issue tracker?
One word that really rings a bell to me with JIRA is customizability. You can make JIRA cater to your needs however you want. Like I said, we have contests, software development lifecycle, HR hiring processes, vendor acquisitions, and so on that are all done in JIRA. This is all accomplished under one software platform, which is just not possible to do with most other tools without reprogramming them.
We use several plugins, my favorite is called Minyaa. The functionality we use flags worklogs that allow us to track how development, support, or QA time is spent. Another feature allows for the creation of global transitions, so rather than create an “undo” step for all of your workflows, you can just apply the same one to all. From what I understand, that’s now native in the new version of JIRA (Global Transitions documentation). Minyaa allows for some powerful post functionality and conditional statements in our workflow that really make it more powerful for our complex software development process. Minyaa is the bread-and-butter plugin of our system.
What is PCI compliance, and how has JIRA helped you achieve it?
PCI compliance is essentially payment card industry standards. Hundreds of items need to be addressed to be compliant, and one piece of that is the software development lifecycle. JIRA needs to be set up in a way that our development team cannot change code and and push it out to customers without checks and balances. With our lifecycle, the system we created has as many as four checks before any changes might occur. A ticket will come in the “open” status, transition to “in progress,” and we’ve set it up with post functions and transitions to flag who the developer is, peer reviewer, manager, and stakeholders are. We also had to develop a way to scan our system to catch credit card numbers so they didn’t sit on our system.
We have auditors come in annually to make sure we are compliant. When we had our first assessment, we completely failed. We were given the task to make a PCI-compliant software development lifecycle. We had to sell it to our developers in a way that wasn’t too strict, yet completely secure. The auditors also do a penetration test to see if they can hack our website. We had to create a very complex system and figure out how to make our website pass the tests. The auditors just loved it after we implemented JIRA. They could see who developed what, who reviewed it, who signed off, and when the action was deployed. For the lifecycle, the auditors now ask for every JIRA ticket in a set timeframe. It’s quite amazing; you have to be amazed. We can’t afford to deviate, the system has to be very precise.
Do you have advice for others considering JIRA?
I would definitely tell other companies to make their system scalable with workflows. There were several times when I was designing and would have to take a step back and make changes. I would actually advocate Atlassian training. I would also recommend learning best practices and getting a feel for the Atlassian product; learn what to do before you just jump into it and try to create a really advanced workflow. It’ll pay dividends if you spend the time to research before jumping into it. Like the old adage, if I had eight hours to cut down a tree, I would spend the first six sharpening my axe.
How is Confluence used at Build.com?
We adopted Confluence because we needed technical writing. We are a part of a European company, Wolseley, which has a litany of security standards and procedures we need to follow. Some of them are very lengthy, so we need a good place to document them. Confluence seemed like a good place to record new company policies, information security procedures, and everything else that led us to attain PCI compliance. Confluence is a great way to collaborate and get multiple people to sign off on documents. Everyone in the company now uses it and it’s how we distribute primary materials. Even our project specifications are done in Confluence. It grew innately from how amazing the product is.
We use Confluence for all of our documentation and all of our company procedures. Anything that people really need to know they know to find in the wiki. It’s our primary resource for all of our employees to find useful documentation. We also use it as an area for employees to talk and share techniques. We use the Community Bubbles plugin and created our company user forums with it. We have a tips and tricks section in the forums where I posted an article about Chrome secrets to make your Chrome browser really powerful, especially for work. Every department is now using the collaboration software; every department has its own space.
How do new employees interact with Confluence?
Confluence has been really great for getting people up to speed. It’s really used as a document repository, especially when it comes to HR and people getting accustomed to the business. People use the HR and training section to check our training schedule. For example, we have a lot of venting pipe training programs because it’s actually very complicated to try and sell venting pipe to a customer. You can potentially sell the customer venting pipe that won’t work for his needs and cause a fire in his house. Therefore, we certify our sales reps in how to sell venting pipes. It’s tough to keep people up to speed, but we’ve integrated training into the wiki. New employees can also see all of our policies. When a user joins, he or she has to do all kinds of reading and Confluence saves our HR team the hassle of having to print out documentation. Users can review everything on one space area in the wiki.
What advice would you give someone considering Confluence?
Start by making it very collaborative. Users develop the wiki on their own, which I believe is one of the greatest aspects of the tool. Just be collaborative and open when you start. Allow everyone access to create new documents and see how far people take it. That will dictate how you should use it.
Are you able to quantify the results of using Atlassian products?
One thing I can tell you is that we have almost 400 JIRA tickets created daily and about the same amount resolved in a day. There’s about 1.2 tasks per day, per employee created and resolved everyday. I mean, where would these tasks be managed without Atlassian software? I think these numbers speak for itself.
For more Atlassian case studies, please go here.