At ManoMano we experiment with Chaos Engineering to prepare for the worst

Founded in Paris in 2013, ManoMano has within a few years become a European leader in the DIY, home and garden online space. The startup was co-founded by two Frenchmen, Philippe de Chanville and Christian Rayson, with support from Bpifrance, Partech and Oseo.

Today, this e-commerce platform offers 16 million references from 4,000 merchants. It has 1,000 employees, of whom 750 are in France, and operates in six European countries – France, Belgium, Spain, Italy, Germany and the United Kingdom – in five languages ​​(French, German, English, Italian and Spanish). In 2020, taking advantage of the epidemic and its geographical spread, it doubled its sales volume compared to 2019.

There are several reasons for this. “E-commerce has seen a “boom” during confinement periods. We are identified as true DIY specialists, responding to new consumption patterns. We have a solid reputation for supporting our customers in the search for their products – thanks to our technical resources. Half of the employees come from backgrounds “Technical” or “digital,” explains Clement Hussnot Dessinong, director of platform engineering.

Towards a “complete cloud” in two steps

Until 2019, the ManoMano Information System (IS) was hosted and operated by Claranet. Then the decision was made to move to the AWS public cloud.

We were already experiencing a significant increase in loads. Fortunately, we made that choice, because in March and April 2020, our e-commerce traffic quadrupled, compared to previous months,” says Clement Hussnot Dessinong. Flexibility. In terms of development tools, we rely on managed services, which gives us a guarantee of reliability, especially for database security. »

For “computing” resources, ManoMano also relies on AWS, the EC2 offering, and Kubernetes containers “which provide a great deal of flexibility”.

Two-step development

This intensification occurred in two phases: in September 2019, about thirty applications, the most important of which, including three “monoliths”, already virtualized on Bare Metal servers, were ported to AWS. Six months later, migration to Docker containers was organized.

“To simplify our operating methods, we first adopted the AWS ECS (Elastic Container Service) regulator, into the managed service, and then moved to AWS’s Kubernetes offering, called EKS. 95% of our services are deployed as docker-type containers on EKSA. Explains Engineer that the remaining 5% is our “core services” such as API gates and authentication services.”

For the most part, “company” applications rely on Google Cloud services in SaaS (Software as a Service) mode – applications on Windows, Linux and iOS.

Cyber ​​Security: Persistent Attacks

When it comes to cyber security, ManoMano has seen an increase in the number of attempted cyber attacks as it expands its business into new markets in Europe. “Threats are daily and permanent. Attacks have advanced computationally. In the first three or four years, we were logging up to 100,000 attempts per year. Today, we have 10. However, we are still within the standard order of magnitude, generally observed in e-commerce,” As Fabien Lemarchand, Head of Information Security reveals.

All forms of attacks are mentioned: from DDoS attacks, on a daily basis, to attempts to break into customer data, or even attempts to defraud payment transactions – not to mention “phishing” type attacks.

“We’ve built a cybersecurity team of eight that tests our platforms daily. We stick to a bug bounty program that rewards “fair play” hackers, aka “ethical,” those hunters who help you get rid of vulnerabilities on websites, Fabian Lemarchand describes .

Transparency and Collaboration

With this goal, DSI created an “Extension for Security Platform”. “It brings us a lot of transparency, especially since we have always had a very collaborative ‘open source’ culture; therefore, we collaborate with many colleagues on many e-commerce platforms.

This transparency also applies to employees. “We have chosen the ‘training’ approach. We regularly test our defensive capabilities; we regularly launch ‘phishing’ simulations via different channels: USB keys, physical snooping, ‘weak’ software, QR code, etc. It is believed that these simulations are useful and contribute to solving weaknesses.”

To protect its platforms, ManoMano has chosen to use, among other solutions, the Cloudflare network for security services. It’s an important partnership. Their offer provides us with an extra layer of security on incoming streams. All requests are scanned in order to detect malicious parameters and block certain transactions before they enter the IS”, explains the Director of Cyber ​​Security.

Security by design

Among other cybersecurity solutions, several tools are aimed at protecting key developers: multiple authentication on workstations, code auditing, order control, etc.

“We apply ‘security by design’ measures, either automatically, for example when we are preparing to deploy a new application, or during development: all components are tested one by one; we practice intrusion tests,” CISO confirms to ManoMano.

“Human must become a strong link. This requires a lot of communication with all employees.”

IF vs Villains

It has chosen to organize three types of outreach events: over the course of a day or half a day, online and ‘semi-face-to-face’. “We put ourselves into technical malfunctions; the issue needs to be resolved as quickly as possible: identify the problem in the IS and make sure to restart. We first create a small group of ‘bad guys’ — those who will imagine the scenario and cause the crash, he says.

These exercises also contribute to innovation and to imagine improvements, very regularly. These are fire drills. [alerte au feu, NDLR] The IS allow us to build more resilient systems; Because by causing these malfunctions (we talk about “chaos engineering”), we observe how systems and teams behave,” adds Fabien Lemarchand.

Among the current state regulation projects, security remains a priority area. “As we continue to grow and want to develop the B to B business that started in 2019, we must rethink our operating methods to enhance our resilience. Our approach, agile, is ‘self-service’ oriented; because we want to make teams more independent to operate services This is the key to efficiency and innovation.”

Leave a Comment