The challenge: Security disconnected from DevOps workflows
The recognized world leader in pizza delivery, Domino’s makes it easy for people to satisfy their hunger for delicious pizza. Customers can order from Domino’s through their phone apps, Facebook, Twitter, Alexa, the Domino’s website, and more.
Domino’s is a pizza company—and a technology-driven ecommerce giant, with $5.6 billion in digital sales in 2016. Domino’s IT team relies on DevOps best practices to get innovations into the hands of consumers and its people. Ensuring technology security used to be a speed bump in the DevOps workflow, with developers bringing security input into projects too late in the process.
Michael Sheppard, senior application security engineer at Domino’s, explains: “Security can be viewed as an impediment to progress when there are barriers to collaboration between developers and security. It took hours of meetings just to determine security requirements on projects. We needed to find a faster, easier way to participate in DevOps.”
Joining the flow
The security team looked at the tools the DevOps team used to drive its workflow. To create and share specifications, they relied on Confluence. And they used Jira Software to track and manage tickets and tasks. A lightbulb went off: the security team realized that they could use those Atlassian tools to connect with developers and streamline the DevOps process.
The security team wanted to create a form in Confluence that developers could use to automatically submit security information to the security team much earlier in the development process. Domino’s approached Forty8Fifty Labs, an authorized Atlassian partner, to build an app that used Confluence and Jira to link security to DevOps workflows. Forty8Fifty Labs worked with Domino’s security team to create a 10-question Confluence form that generated Jira tickets based on the answers.
“We knew our developers liked using Confluence to collaborate and document requirements,” says Sheppard. “Security just joined a workflow that already worked well. It takes a few minutes to fill out the form, and about four minutes to get back the corresponding Jira security requirement tickets. What used to require more than 20 hours of meetings and review now takes minutes. This app solves a huge security pain point that is very prevalent in software development.”
“With our Atlassian app, we were able to automate a unique workflow and break down barriers between security and development,” he adds. “That kind of automation is a key driver of efficiency in today’s software-centric world.”
The benefits of apps add up
But that’s not the only innovation the Domino’s team adopted to improve their DevOps practice. Presenting the big picture to leadership and decision makers is key to ensuring a great user experience. The company used Splunk software to gain insight into its processes, and Domino’s security team realized that they could use the Splunk app for Jira to bring Jira security data into its Splunk ITSI dashboards to more readily identify and address trends they see across many Jira projects. For example, proper coding training was implemented as a result of seeing a rise in vulnerability tickets being opened in Jira. These integrated tools help development and security teams align their efforts to business value by presenting indicators that reflect the security health of the codebase.
“Thanks to the app we found in the Atlassian Marketplace, we’re able to pull security requirements data from Jira and display it in Splunk ITSI,” says Sheppard. “Our metrics dashboard tracks 10 key indicators. We can visualize the kinds of security tickets we’re generating in Jira and look for opportunities to close them more quickly.” With these two apps, they were able to save $100,000 annually, reduce risk by 75%, and highlight this business value to management.
All about pizza
In creating more openness between security and development, Domino’s keeps its eye on the big picture—and its focus on consumers. “Our developers write code and our security processes keep our technology secure so that we can make it safer, easier, and more fun to order great pizza,” says Sheppard. “In a sense, the apps we found in the Atlassian Marketplace are helping us deliver more pizza faster than ever before.”