A Platform for Managing Secrets Everywhere – InApps Technology 2022

Sitting in a hot tub in Cancun, Brian Vallelunga came to the realization that his crypto machine learning marketplace project wasn’t going to take off. Mulling over a host of problems, among them the difficulty of managing secrets, environment variables and app configuration, he came to the conclusion that the project wasn’t going to let him quit his day job, which at the time was as a software engineer for Uber.

Trying to salvage something from the project, he attended a dinner in San Francisco before COVID with around 50 or 60 founders and developers and asked whether this was a problem for others.

“It was like one pain point. There were a lot of different pain points, all centered around the same thing, the same root cause. And they’re all pretty painful to me,” he said.

About half told him they had similar issues.

“One woman, in particular, comes running up to me. I thought she was gonna trample me at one moment,” he said. “And she says, ‘I’ve had three outages this week. Have a solution by Sunday.’ And I was like, ‘No, no, no, it’s not possible to build something that fast.’ This was a Wednesday, and I just couldn’t do it in time.

“[Yet] it told me that this is a real problem. … And so I went looking at the market, and I realized that individual developers on hobby projects were struggling, medium-sized businesses were struggling … even enterprise customers were struggling a lot.”

He found companies using home-brewed tools that they built in house, Hashicorp Vault or .env files.

“And the thing that I realized was [that] all the tools out there weren’t built for me. They weren’t built for a developer,” he said. “They were built for security teams and DevOps teams. And the problem with that is that the security team really cares about security, but they don’t care about usability.”

And if the security team does goes through the buying and evaluation process without considering developer usability, the tool won’t gain adoption.

“And so I’m thinking, ‘Can I build something that is designed for developers from Day One, and will meet all the needs of DevOps and security, but it’s really tailored toward that developer experience?’” he said. From that idea Doppler was born.

Collaboration, Management Across Projects, Infrastructure

Vallelunga calls Doppler a “universal secrets platform” distinguishing from the term “secrets manager,” used to describe storing user data, such as credit cards or addresses, rather than app data, like API keys, database URLs and the like. Doppler is solely focused on app secrets.

With companies increasingly using hybrid infrastructure and third-party services like Twilio and Stripe, there’s exponential growth in the number of secrets for developers to manage. Security misconfiguration ranks among the Open Web Application Security Project (OWASP) Top 10 list of security vulnerabilities, with the organization recommending using automation to make sure that development, QA and production environments are all configured identically, with different credentials used in each environment.

To manage all that, developers need three things that Doppler provides, according to Vallelunga:

• Secure storage with encryption.
• A dashboard that allows them manage secrets in a collaborative way so they can edit them, delete them and so on.
• And automation to push those secrets into the right infrastructure so their applications and infrastructure can use them.

He maintains it’s the only solution that works from local development to production and on every stack and infrastructure.

Doppler is designed to mimic GitHub closely so using it will be familiar to developers. GitHub has repositories, and repositories have branches, and branches have code. In Doppler, you have projects and within them environments, such as staging/QA or production; and those environments have configs, which hold secrets.

“The value that Doppler drives is not that it’s a place to store and manage secrets in one location. It’s that it’s for every location, across all your projects, all your environments, all your cloud infrastructure, all your devices. And all your developers, it’s that one central source of truth,” Vallelunga said.

In each environment, there’s a root config, the master list of secrets, where you would go to change a secret or add one.

It stores JSON and environment variables.

“A lot of developers really struggle with secrets that are more than one line long. … Dopper just makes it very, very simple,” he said. It also allows developers to add comments to secrets. They can set recurring reminders. If a secret expires in 30 days, they can set up a reoccurring reminder to notify the team to rotate the secret, delete it or whatever. All the changes are versioned, just like in GitHub, so it’s easy for a developer to know what has changed, and they can roll it back at any time with point-in-time recovery. The company runs two infrastructures concurrently and can switch between them at the DNS layer if an outage occurs.

Using automation, it syncs distribution across environments and teams. With what it calls “branching,” there’s a branch config for every engineer. If there’s a change, they’ll be notified immediately.

It uses end-to-end encrypted communication channels, strictly enforcing SSL/TLS and required a valid certificate chain, and a tokenization process similar to that of payment processor Stripe.

In a Forbes article, Jeff Quiesser, the cofounder of Box, described building an in-house system for managing secrets, adding:

“Doppler would have been a huge help for us since they’ve combined a number of elements that we had to build, such as a strong role-based access control for who can see and modify what secrets; a great command line and web interface for managing secrets; an audit trail for any interactions with secrets; a built-in network for updating and distributing secrets; and all of the backend encryption and security controls for keeping secrets safe. In short, it would’ve saved us a ton of time and headaches.”

Eyes on Enterprise Market

Founded in 2018, the San Francisco-based startup has raised $8.8 million, the most recent $6.5 million round announced in March, led by Alphabet ‘s GV fund and joined by Y Combinator, Sequoia Capital and others.

The company has come a long way from its initial version, when Vallelunga rounded up a group of potential users for what he calls his “Chipotle sales strategy.” He took them to the restaurant and offered to buy them anything on the menu if they would listen to his pitch and try it out. He reportedly spent around $1,000 on that. (Not a sales strategy he recommends now.)

Ruud Visser, formerly of Instagram, and Thomas Piccirello, formerly a developer at BlackRock are founding engineers. Vallelunga, recently featured in Forbes’ 30 Under 30 in Enterprise Technology, is CEO. Piccirello the CTO.

Now a 12-person company, it recently introduced a tool called Doppler Share designed to enable teams to share one-off secrets such as lockbox codes or Wi-Fi passcodes through an expiring link.

Though so far focused on smaller companies, it’s also eyeing the enterprise market with features including token management, secrets referencing, cloud provider integrations, and support for SCIM (system for cross-domain identity management) and SAML (Security Assertion Markup Language.)

The company has one enterprise customer live in production and about 15 in the proof-of-concept phase. One thing they’re asking for is user groups. If they have hundreds of engineers, they don’t want to manage permissions one by one.

It competes with big players like AWS Secrets Manager, Azure Key Vault and Hashicorp Vault, as well as the likes of Keeper.io, Akeyless Vault, Keywhiz and open source Confidant.

In a contributed article to InApps Technology, Doppler’s Ryan Blunden delved into how Doppler stacks up against Hashicorp Vault.

“Vault is primarily aimed at security teams and is undoubtedly the most enterprise-capable and configurable secrets manager on the market,” he wrote. “Doppler, by contrast, is built for developers while still containing the features security teams expect from a secrets manager.”