Jelly Belly Candy Company

Qualys Sweetens Security for Candy E-Commerce at Jelly Belly

The Jelly Belly Candy Company started in 1869 with the American immigration of two German brothers. Their venture was ice cream and candy sold from a horse drawn wagon in Illinois. By 1900 the company began making new buttercream candies, including Candy Corn. American troops overseas got most of the U.S. chocolate during World War II so the company began making common candy store jelly beans for domestic sales.

The idea for Jelly Belly, the world's most famous jelly bean, came in 1976 when the family owned company began making "true-to-life" flavored jelly beans using natural ingredients. The best known customer was President Ronald Reagan, who served jelly beans to national politicians and foreign dignitaries in the White House. With more than 670 employees, Jelly Belly now produces about 13 billion jelly beans a year. Headquarters are in Fairfield, Calif. with manufacturing plants in Fairfield and Chicago, and a distribution center in Wisconsin.

Like many manufacturers with traditional distribution and retail sales channels, Jelly Belly also sells products directly to consumers through its website. Jelly Belly used to have its e-commerce website hosted by a company on the East Coast but grew leery of integration required between its internal production and order processing applications and the hosting service provider. Company executives sought to simplify e-commerce operations by bringing them in house.

Jelly Belly already had a high availability infrastructure at its headquarters, including redundant power and multiple T1s for Internet connectivity but security was a big concern. The IT department had recently begun using the on demand Qualys vulnerability management service to find and fix network vulnerabilities. Executives approved the e-commerce simplification initiative when they learned of Qualys’ capabilities to manage security threats against internal e-commerce operations and personal information of Jelly Belly customers. Qualys remains the trusted foundation of Jelly Belly's network security audit and remediation program.

On Demand Service Model Made Deployment of Qualys 'Painless'

Prior to implementing Qualys in mid-2003, Jelly Belly had no comprehensive testing plan for vulnerabilities, according to Gary Praegitzer, Network Administrator and Security Specialist at the candy company. Ad hoc scans for vulnerabilities were done with various open source tools. Jelly Belly required an effective, comprehensive vulnerability management solution that would not tax the company's small IT staff of sixteen.

"The fact that Qualys is a web-based service, and that everything is automatic and updated is a huge plus for us," says Praegitzer. He cites benefits of not having to buy, maintain, update and manage another piece of software. "We don’t want the hassles of maintaining this type of software. It's pretty much hands-off to get the benefits with Qualys."

Praegitzer says getting started was painless. "Deployment of Qualys was incredibly easy—just a matter of giving our IPs and proof of ownership to Qualys, entering the numbers and clicking the start button."

The Jelly Belly infrastructure protected by Qualys includes more than 30 servers and 400 PCs. Jelly Belly uses Qualys to monitor security for its external-facing servers and resources including routers, firewall, website and email.

Qualys Reports Provide Clear Picture of Network Security at Jelly Belly

Jelly Belly scans its network for new vulnerabilities on a daily basis. Praegitzer praises the depth of reporting within Qualys and its ability to pinpoint specific problems. "The other side of that is Qualys’ remediation workflow," he notes. "Not only does Qualys tell us what is vulnerable, it also shows resources for fixing the vulnerabilities."

Praegitzer says visibility into Jelly Belly's vulnerabilities provided by Qualys reports is invaluable. "We're pretty aggressive on patching our systems, especially public-facing systems," he says. Jelly Belly uses the reports to verify the elimination of vulnerabilities. Praegitzer says vulnerabilities occasionally reoccur, prompting fine tuning in the company's firewall or other security defenses. The reports provide evidence that effective security measures are in place.

"Qualys gives me great reports to go back and give to my boss in case he needs to go to upper management and show them what’s happening with Jelly Belly security," says Praegitzer.

The payoff to Jelly Belly for using Qualys is clear. "We have not had any successful attacks since we installed Qualys," says Praegitzer.

Bringing Peace of Mind to Jelly Belly Security Administration

Praegitzer underscored the benefits of Qualys being a self-contained service. By using Qualys, Jelly Belly avoids having to dedicate staff to keep up with new vulnerabilities and update the system. "Qualys is like having our own full-time research staff in house," Praegitzer says. By using Qualys on the front line, Jelly Belly is able to reserve internal staff as a second line of defense.

"Qualys gives me comfort knowing I have access to this really great service that other companies bigger than us are relying on for their security," says Praegitzer.

Praegitzer praises the Qualys customer service staff and says the 24-hour remediation support help desk was very helpful—the one time he used it. "I really haven't had to call them!" he says. "The fixes are right there in the reports and the reports tell you everything. This makes it really easy to use this product."

Qualys’ ability to document the state of Jelly Belly network security brings peace of mind to Praegitzer. "I look at Qualys as inexpensive insurance," says Praegitzer. "It's a very inexpensive way to get a third party to check out my network and tell me what exposures exist. I'm really very happy with the product."