When asked what compliance means to his team, Rob Woolley, VP of Technology Operations at Benevity, responded: “It’s living up to our internal expectations of winning our client’s trust every single day. Our compliance function keeps us honest and accountable.”
Benevity is a platform used to engage employees and help them find purpose through charitable giving, and Rob and his team are dealing with the personal data of thousands of their client’s employees, which they treat with the utmost respect. When it comes to their integrated Atlassian Data Center stack, they use the same level of rigor as they do for their own production systems – everything is encrypted and running security agents, and they take every possible precaution to prevent a breach, data loss, inappropriate access, or privilege escalation. Rob laid out his best practices for vulnerability management, security within CI/CD practices, and having the right tools and systems in place to scale compliance across teams.
Making vulnerability management look easy
With compliance top of mind for most organizations, having visibility into vulnerability management workflows is essential to help keep teams accountable and optimize the auditing process.
To solve for this, Benevity uses all the capabilities of the Jira Software Data Center workflow engine. Their vulnerability management process includes multiple external systems that detect vulnerabilities, which then result in a customer issue type created in a Jira project for security operations. Many different teams collaborate on those projects together, and they all need visibility into the full workflow. For example, the security team may find a vulnerability in one place, then another dev team gets pulled in to execute the associated work. Using Jira, they’re able to track who found the issue, when they found it, who all worked on it, and when they rolled out the fix. The most critical vulnerabilities need to be addressed first, and Jira helps prioritize those efficiently.
This “cradle to grave” audit trail helps keep them honest, and as an added bonus, it makes their auditing process a lot easier. When the organization’s auditing control period comes around, they can easily point to each step of the process in addressing a vulnerability, giving them confidence in proving their controls were met. Rob calls it “automating your audit” which he adds, “is so nerdy, but so impactful.”
Monitoring and managing compliance across teams
Having the right tools and systems in place further streamlines work and helps keep teams aligned, saving organizations immeasurable time and energy.
To achieve team alignment and efficiency, Benevity uses Jira dashboards to monitor many of their compliance processes and team initiatives. Once they set KPIs, they display the corresponding dashboards on TVs in the office to always keep them top of mind. Not only does this help everyone understand the current tempo for the team, but it also starts some great conversations across teams.
The Security Operations, Site Reliability, and IT teams each have four to five KPIs or dashboards they’re responsible for. The managers for each of these functions meet weekly to analyze the KPIs and team capacity, and redirect resources the following week where additional support is needed. When teammates know they have to depend on each other to achieve their goals, the result is true cross-collaboration.
In Rob’s opinion, you can never overuse Jira macros, and combining them with Confluence Data Center has been instrumental in his team’s success. To provide additional details to their Jira dashboards, their security operations team adds supporting commentary in Confluence. Because they’re in Jira viewing every open issue once a week, they’ve got good context on what’s in need of serious attention. When they identify an issue, they can easily compare it to other builds to determine where the source of the vulnerability arose. This creates an unambiguous reflection of events, so users can fully assess where policies went wrong or right.
Occasionally, it’s good to bring in human intervention as well, and to track availability, Benevity does just that. For every single outage they experience, they run a post mortem using a template in Confluence that includes the remediation items. They even wrote a few playbooks on how to properly manage these tasks, which makes for great onboarding material when new hires join the team. It helps them live and learn through previous stories.
Integrating security into CI/CD practices
Engineering teams are often subject to change management controls, which are reflected in their software development lifecycle. Having all your tools integrated allows you to maintain this change management workflow with ease.
Benevity’s engineering team is moving to trunk-based development, which is supported in Bitbucket Data Center, and they’ve found Bitbucket extremely beneficial given the need to host their own source code. One of Rob’s favorite features is the ability to compare tags. Before deploying any code, they’ll tag the code first, which gets put into the build pipeline to create the build artifacts. If it breaks, they’re able to identify what the changeset is. While you can also set your fixed versions in Jira, you want to make sure your apps will support the branching strategy and the PR rules you have in place. At Benevity, everything has to be reviewed and approved by two people. From there, they have controls on who can merge, and controls that extend further up into the CI/CD pipeline determining who can actually promote a build artifact.
As a whole, they’ve never encountered a compliance posture they wanted to pursue where they’ve been blocked by the capabilities of Bitbucket. Thanks to the integration between their Atlassian Data Center products, they can flip through their various tools without breaking their workflow. The code in Bitbucket connects to an issue in Jira, which can lead to a Confluence page that contains the broader context as to why it got built in the first place. “It’s just good fun when everything is connected,” says Rob.
Compliance is one of those practices that’s never going away, and the need for security is never going to change; in fact, its importance is only increasing each passing day. Your customers’ trust and retention depend on it. As Rob put it, “It’s always in your best interest to get really good at it, sooner rather than later.”
If you’re looking to take action on optimizing your own security and compliance processes, check out our three-part webinar series.