Share one-off secrets securely with expiring links.

When Being Scrappy Backfires

When it pays dividends to do it right the first time.

Startup founders often over-glorify scrappiness and doing things that aren't scalable for the initial part of their company's lifecycle. In the beginning, this bodes well in areas like:

  • Fostering 1:1 strong customer relationships
  • Interviewing every single candidate before they're hired to evaluate culture fit
  • Launching products early to get customer feedback and tackle bugs

However, this idea of scrappiness is undermined in areas like the handling and sharing of your company's sensitive data, like API keys and database urls. Here's why:

  • Good security isn't a patch. It should be at the core of company culture, which then gets baked into your products. Whether you're an independent developer or part of a company with teams of engineers, the risk of a breach/leak is always present and only increases with the number of engineers involved.
  • Experimenting with an unscalable manual approach is a time-consuming and risky endeavour, which leads to shortcuts and error prone tendencies.
  • Automating this workflow only has positives for the lifespan of the company. (In comparison, automating sales and product feedback pipelines super early on doesn't have the same positive outcome)

Here are 5 big no-no's when being scrappy:

  1. Don't try to build your own robust secrets manager unless no other 3rd party service is able/willing to fulfill your urgent needs. Building in-house almost always takes longer than expected and is expensive to maintain.
  2. Don't try to write a bash script as a quick-fix solution which will constantly break under unknown edge cases and as your company scales. Homebrewed solutions are built for the now, making them brittle for future needs.
  3. Don't host on-premise security solutions which will leave you taking on unnecessary liability. On-premise pricing also tends to be very steep.
  4. Don't share your secrets over email, Slack, Google Docs, WhatsApp, or commit them to git.
  5. Don't use .env files as it's one of the easiest ways to increase the number of daily headaches in your company.

Buy hey, we get that sometimes being scrappy isn't an option. So if you are going to be scrappy, do it right. Use a secrets manager and get all the benefits without any of the risks or headaches. If you liked this article and our views on security and developer productivity, try out Doppler for free.

More Articles

Achieving SOC 2 Compliance
Developers and organizations trust Doppler with securely managing and serving millions of secrets to their applications and we’re excited to announce that Doppler has achieved SOC 2 Compliance.
Using Environment Variables in Node.js for App Configuration and Secrets
Learn why experienced Node.js developers use environment variables for application config and secrets, including how to manage default values and typecasting.
Using Environment Variables in Python for App Configuration and Secrets
Learn how experienced developers use environment variables in Python, including managing default values and typecasting.