A developer’s primary priority is to write code. The secondary tasks, like keeping track and managing access of secrets, or digital authentication credentials, go on the back burner. However, secrets management must be done well, or a developer team risks compromising their code at critical times. Yet, most secrets management software are built by DevOps and security-focused teams or are quickly hacked-together developer solutions that won’t be able to scale with greater use.
Brian Vallelunga has struggled first-hand with secrets management. He and his team have built Doppler to address the problem. Doppler is the first ‘Universal Secrets Manager’ built specifically for developer teams of all sizes. The San Francisco-based startup has raised $2.3M in a seed round from Sequoia Capital, Kleiner Perkins, Abstract Ventures and Soma Capital, with participation from prominent tech investors and executives such as Aaron Levie, Peter Thiel, Nat Friedman, Dylan Field, Kevin Hartz, Greg Brockman, Jeremy Stoppelman and Ben Porterfield, and more.
Jeff Quiesser, the cofounder of Box who leads their engineering organization, says, “At the start [of Box], we actually had to entirely build our own system for managing secrets and distributing them out. It was a huge hassle and required a good amount of maintenance on an ongoing basis. As measured by the ‘raise your hand if you want to work on this system’ test, it scored very poorly among our engineers.
“Doppler would have been a huge help for us since they’ve combined a number of elements that we had to build, such as: a strong role based access control for who can see and modify what secrets, a great command line and web interface for managing secrets, an audit trail for any interactions with secrets, a built in network for updating & distributing secrets, and all of the backend encryption & security controls for keeping secrets safe. In short, it would’ve saved us a ton of time and headaches.”
Stephanie Zhan, the Sequoia partner who led the round, adds, “The need for speed when developing software and applications oftentime results in compromised security measures. Doppler is transforming this process by providing developers with a robust secrets manager that is simple to use, easy to maintain and captures the entire development life cycle. At scale, Doppler will help developers spend more time building core applications rather than worrying about secrets management—ultimately, maximizing security and improving developer productivity.”
Frederick Daso: What is particularly challenging for managing secrets, or digital authentication credentials, for developers?
Brian Vallelunga: Four explosive trends are happening concurrently right now that culminates in a massive pain point. The number of projects developers are managing is growing faster than ever due to the massive adoption of microservices. These microservices are now being deployed to multiple infrastructure providers, instead of just one. We have seen many companies deploy to both Vercel and AWS. The industry is going multi-cloud. Simultaneously companies are leaning on 3rd party services like Stripe and Twilio more than ever to perform tasks. This means engineering teams have far more secrets to keep in sync. Lastly, teams are becoming remote first, meaning you can’t just write a secret on a piece of paper to share it with a coworker. They need operations like sharing sensitive data to be asynchronous.
With all four trends exploding, it can be incredibly challenging to manage an ever-growing list of secrets across an expansion of projects and deployments while ensuring your engineers aren’t blocked from a missing secret needed to develop locally.
Daso: Why hasn’t there been a centralized repository for secrets management? Or if there is, what are their limitations?
Vallelunga: Managing secrets is a very unsexy space. It is not just about making a central repository, but also designing the product around a developer’s workflow. Typically these types of products are built by a DevOps or security team for other DevOps and security teams, which leads to painfully cumbersome experiences for the end-user. Most secrets managers were designed to store user data (PII, credit card, medical data, etc.). So when the use-case needed to be tackled, it was typically a combination of the security and DevOps teams building those internal tools. When new products entered the space, they were either created by the same people (DevOps & security-minded folks) or designed for them. In a way, it’s like a self-fulfilling loop. Our product is built by developers for developers.
Daso: Why haven’t developers built their solution yet?
Vallelunga: They are usually too busy or build something homebrewed to solve their immediate pain point. Making something homebrewed seldom scales well because there wasn’t intentional thought into how it will scale past their current needs. I experienced the pain point personally and then saw my peers and other founders having the same problem. It became apparent that all the existing solutions were overly complicated, which made me ask why? We found that they were designed for DevOps and security-minded folks, which meant the products were designed for utility instead of utility + a pleasant experience.
Daso: You’re bullish on a massive market for secret management. Given that Doppler could ostensibly be used by development teams of all sizes, which segment of the market are you targeting first, and why?
Vallelunga: Doppler works great for teams of all sizes. As teams grow, Doppler’s value grows in proportion. So, where to focus first? Instead of focusing on specific team size, we are focused intensely on increasing awareness of Doppler and Universal Secrets Management within the developer communities. Developers work at startups and large enterprises, so we need to win developers’ hearts and minds first.
In the early days, we expect the early adopters to be forward-thinking sub 50 engineering teams. As awareness and adoption grow, we hope larger organizations to join the movement.
Daso: What are the consequences of poor secret management that would drive a growing customer base in need of a solution?
Vallelunga: Every developer has been burned at some point by managing environment variables/secrets. From accidental leaks to outages and broken local builds, there are tons of ways manually managing environment variables could lead to a painful and costly experience. Most developers know not to put their hand in the fire. They don’t have a way not to until now.
Daso: What separates Doppler from existing secret management solutions on the market?
Vallelunga: Doppler is not a secret manager. It is a Universal Secrets Manager. It is a first of its kind product designed for developers. It’s the only solution that works from local development to production with a beautiful dashboard and rich integrations with most infrastructure providers. Most importantly, Doppler universally works on every language, stack, and infrastructure with an interface that can be loved by every developer.
Daso: What is the difference between a secret manager and a ‘Universal Secrets Manager’?
Vallelunga: Great question. We see “Secrets Management” as an overloaded term used for a variety of use cases. Often it is used to describe storing user data (credit card, address, birthdays, medical data) or app data (API keys, database URLs, certs, etc.). A large part of this launch is creating a new category, “Universal Secrets Management,” which is solely focused on app secrets.
Unlike secret managers, a “Universal Secrets Manager” is designed to work from local development to production, on every stack and infrastructure. This is compared to something like AWS Secrets Manager, which typically only works in production on AWS. Lastly, it is designed for developers. Secrets Managers are typically built for the DevOps or security teams, which results in it being complicated and cumbersome to use for developers. We created Doppler for the everyday developer, with an explicit goal of abstracting all the cumbersome and painful experiences out of the product.
Daso: A secrets manager needs to be reliable for all software development stages. How did you design Doppler to be reliable and easy to use as a project’s complexity scales?
Vallelunga: We have solved this problem in two parts.
The first part is what Doppler does to ensure our infrastructure is always up. Each layer of the Doppler stack has redundancies built-in. We run two infrastructures concurrently and switch between them at the DNS layer if an outage occurs. Our databases run with point-in-time recovery allowing us to rollback to a transaction if needed. The Doppler CLI automatically creates an encrypted snapshot of your secrets on every successful run.
When developing offline, like on the plane, the CLI will smartly fallback to that encrypted snapshot, so you have an uninterrupted development flow.
The second part is the user-facing portion of the product. The product is designed to remove most guesswork and human error. We remove the guesswork by having a strong opinion on how secrets should be organized, with projects and configs. Projects make it easy to manage secrets across projects, while configs make it easy to separate secrets by the environment. We take the human error out of managing secrets by baking many subtle automations into the product. From distributing changes of secrets instantly, so everyone remains in sync, ensuring secret names stay consistent across environments, these are just a few things Doppler does to make sure you remain up.
Daso: What are some of the critical behaviors you look for in prospective Doppler candidates?
Vallelunga: This is a great question! Outside of a deep understanding of the role, we look for super passionate people about something loosely related to our space. This typically becomes visible quickly in how they talk about a problem they recently solved or a side project they do in their free time. We want to work with artists, not assassins. Artists would work on this even if they weren’t being paid, while assassins only pull the trigger if their bank account grows. An artist’s passion is the only driver they need.
Daso: How are you able to scale your team’s output while keeping the team relatively small?
Vallelunga: Building on your earlier question’s answer, we have found a strong correlation with brilliant people and have a deep passion for hyper-productivity. If you love what you are working on and have the skills to succeed, it often doesn’t feel like work. Removing the overhead of “this is work” leads to a higher work ethic resulting in more innovative solutions, as you genuinely care about the problem set you are solving.
For the latest tech news, subscribe to my newsletter, Founder to Founder.