Securing a hyper-scaling CI/CD: ManoMano's story

About Fabien Lemarchand

Fabien is ManoMano's VP of Platform & Security. When ManoMano hyper-grew, security challenges such as securing a scaling CI/CD became crucial. Fabien and his team shaped a culture within their company that shows the way on security challenges. We were happy to have him during the CTO Forum. Over to Fabien!_

ManoMano was founded in 2013 and quickly became an e-commerce leader in home improvement, gardening, and DIY. We reached one billion in business volume and more than seven million active clients in less than ten years. This growth has been exacerbated by the covid crisis, which led to a spike in e-commerce, but also the democratization of DYI. More and more, Europeans want to build and renovate their homes. ManoMano supports them on this journey through our communities that inspire, advise, and help them from inspiration to installation.

Infrastructure scaling challenges

Our platform needed to reflect on this hypergrowth journey and led that growth. It led us to two main challenges: providing a platform to our engineers that was easy to work with. How can we build a performant platform that is resilient enough and simple enough to work on? We needed to enable our team to deploy improvements regularly.

The second challenge was about the stability of the user experience. The platform needs to absorb growth so our users don’t feel it.

So in 2019, we decided to switch from private hosting to the cloud to work on those challenges. It enabled our infrastructure to be simplified and more scalable. Automating many tasks from the lower layer also helped improve our engineer’s experience. As we were still relatively young and with a cloud-native approach, we had only a few legacies that needed total restructuring, and it took us less than a year to migrate to the cloud entirely.

This migration brought us bricks on which we could build new tools, and our engineering team was more autonomous.

How to automate to secure an infrastructure

Our platform is built as a product, with a strong focus on automation. We rely a lot on microservices, which are highly segmented and automated. We have a common CI/CD shared among us, on which all the security checks are automated so the developer experience is pleasant for our team.
The delivery pipeline is simple and automated too.

All this structure requires a solid foundation as far as sturdiness and resilience to ensure a guaranteed level on platform security. That is why our processes are extremely automated: all the lower layers are protected.

Our security team works closely with our features teams to find the best fitting solution every time. So we have on one side our automated dashboard that provides an overview of the company and on the other side the work with experts to be integrated.

People as the first pillar of the security strategy

One of the most significant pillars of security is people. We have a pedagogic approach at ManoMano on security topics. We integrate security on a more global scale in the company by building an internal culture around (cyber)security. We make it transparent and visible to show the value security brings to the company and engage our collaborators.

With this pedagogical approach in mind, we decided not to do everything for everybody. Our security team does not work on operational topics. Instead, they monitor and consult our team. We support them and teach them instead. We want to empower them and give them autonomy on security. We provide resources, information, and experts.

As we grew from 50 to 1000 collaborators in a few years, we strived to keep this cybersecurity-focused culture. We need to continuously flow on those topics with them to keep our culture.

And this is actually how to continue to onboard these 1000 employees and more with the same level of requirement of exigency.