E-commerce is about more than just shopping carts. With more shopping moving not just online but to mobile, retailers need to constantly innovate to stay relevant. Hamburg, Germany-based retail and services company Otto Group offers its customers a variety of innovative technologies to enhance the shopping experience, including augmented reality applications for online furniture shopping or AI-driven voice solutions for first-level support. The basis for this is provided by a state-of-the-art IT landscape and software development toolchain.

Providing customers with innovative digital experiences is a top priority for Otto Group, which owns 30 major company groups and does business in over 30 countries in Europe, North and South America, and Asia, including Crate and Barrel, Freemans, Manufactum, and, of course, its namesake Otto. Ideally, all of its subsidiaries will share innovations, helping the entire family adapt quickly to the changing world. But many of Otto Group’s subsidiaries had their own IT teams. “It’s a heterogeneous environment,” says Dr. Hanna Huber, Otto Group VP of Technology Strategy and Governance. “Some brands are working with bleeding-edge technologies, others are battling legacy systems.” That led to silos across the company, and instances where one brand might have solved IT problems that other brands were still struggling with. Getting a clear sense of the company’s software security posture was difficult if not impossible.

Otto Group started using GitHub to unify its software development efforts in 2015. In 2020, the Otto Group set new benchmarks to standardize software development processes by founding its Software Engineering Unit. GitHub became a supporting pillar in establishing a modular approach to the development and implementation of apps and mobile features. GitHub provides what Huber calls a “common language” for Otto Group’s companies to share code and resources. With GitHub as a technological framework, Otto Group has been able to sustainably advance the innersource processes that 18 group companies are already involved with. “This development was driven by a group-wide transformation that stands for a new era of collaboration,” Huber says. Today, Otto Group’s engineering teams are flocking to GitHub, even though it’s not mandated. “We don’t want to do everything top-down,” Huber says. “We want people to adopt things because they work and because they want to use them.” The company now has 60 developer organizations with more than 1,500 engineers using GitHub and is still growing.

As usage grows, GitHub is becoming more central to development at Otto Group. For example, the company’s Digital Product Lab team, which builds mobile apps for many subsidiaries, uses GitHub Actions for its entire CI/CD pipeline, from pushing code to QA to shipping to app stores. Bjoern Bengelsdorf, a senior software engineer in the Digital Product Lab team, says that they’ve been able to find a prebuilt Action for nearly everything they’ve needed to do, saving them time and resources. “We get everything we need from the GitHub Actions marketplace to build and support our tailored CI/CD pipeline,” he says.

“We get everything we need from the GitHub Actions marketplace to build and support our tailored CI/CD pipeline.”

Bengelsdorf says Actions provides a better developer experience than their previous solution. “Everything is in a single environment, there’s no need to switch to another application or connect to something through a VPN,” he says. “You run the Action just by committing your code, which is awesome.” Similarly, as open source becomes more important to Otto Group, GitHub Packages has helped teams streamline their code management.

The upshot of having fewer tools and processes to manage, Bengelsdorf says, is that they get to spend more time focused on building new software that they can share with the rest of the company. For example, the native shopping app framework shared and used by several Otto Group brands was created by the Digital Product Lab group. “We provide a framework for native apps that includes all kinds of e-commerce modules,” Bengelsdorf says. “Each brand customizes that framework based on their own identity and the shopping experience they need.” When the team adds new features to the framework, like the augmented reality module, all the different Otto Group brands can take advantage of those. That entire process of adding new features and deploying them to different brands is managed through GitHub.

GitHub makes life easier for Otto Group’s engineering teams in other ways as well. Many developers are already experienced with GitHub and find the core functionality to come as second nature. From submitting and reviewing pull requests to forking repositories and discussing issues, new hires are familiar with many common processes from day one. Otto Group benefits from a central corporate IT service department, which makes the integration of GitHub much easier. Plus, with so much of the development process happening in GitHub, developers need access to fewer separate tools and systems, which means fewer accounts and permissions to manage per new hire. This equates to hours of saved time.??

As Otto Group standardized on GitHub, the company increasingly leveraged it to manage security and authentication processes. Before, the security team had no centralized way to visualize or report on security risks, even within teams, let alone across the organization. Now with GitHub Advanced Security Otto Group finds it easy to report security status to leadership teams, including current vulnerabilities and how much progress they have made remediating them over time. “GitHub Advanced Security has put us in a position to confidently talk about our security posture when it comes to source code,” says security engineer and product manager Marie Theresa Brosig.

Otto Group aims to integrate security into every phase of the software development lifecycle. By implementing centralized security scanning with GitHub Advanced Security the company has? taken an important step towards that goal.? Otto Group started by creating a rollout program to enable developers to start using GitHub Advanced Security right away, touching briefly on all three tools in the GitHub Advanced Security toolset: secret scanning, code scanning and supply chain security.?

She says developer engagement with security has “gone through the roof” since rolling out GitHub Advanced Security. “Our developers are impressed with how easy it is to use,” Brosig says. “The false positive rate is really low, which helps prevent unnecessary frustration and keeps the focus on key security issues.” Now, Otto Group’s security teams save time on responding to day-to-day security matters, as developers are empowered to take security into their own hands more and more.?

“Our developers are impressed with how easy it is to use,” Brosig says. “The false positive rate is really low, which helps prevent unnecessary frustration and keeps the focus on key security issues.”

With secret scanning Otto Group’s now able to surface exposed keys, tokens, and other authentication secrets. With the push protection option, developers receive warnings if they try to push a secret to a repository, preventing exposure from happening in the first place.?

Meanwhile, code scanning alerts don’t just help improve source code quality when it comes to potential security vulnerabilities: the extensive additional information they contain on how to fix specific vulnerabilities also helps train developers on how to write more secure software. “It’s a big help to us that developers can learn to write safer source code independent of us,“ Brosig says.

Both code scanning and Dependabot alerts are accessible in both the security overview and within individual pull requests. Accessing these alerts in a pull request before merging source code into a potentially production-ready branch has enabled Otto Group to “shift left like we really mean it,” Brosig says. Along with Dependabot alerts and security updates, dependency graphs have enabled Otto Group to quickly capture low-hanging fruit and improve its overall supply-chain security.

“Writing our own CodeQL queries is definitely one of the next steps in our GitHub Advanced Security journey,” Brosig says.? “We’re also really interested in joining the Secret Scanning Partner Program.”

More and more, Otto Group is combining GitHub Actions with GitHub Advanced Security as it’s a convenient and effective way to automate workflows. For example, managing app store credentials and certificate signing can be automated through GitHub Actions in combination with Secrets.?

Today, Otto Group developers deliver new features more quickly and more securely as they’re able to focus more on creating value and solving real problems and less on managing tooling and solving the same issues over and over. GitHub and the rest of Otto Group’s cloud-native tech stack have enabled the company’s Digital Product Lab to deliver outsized returns.